CVE-2026-41293 – Apache Tomcat

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“Critical web server weaknesses can turn authentication and access controls into points of failure.”

Apache patched multiple Critical vulnerabilities in Apache Tomcat. CVE-2026-41293 has a CVSS score of 9.8, which is Critical severity. CVE-2026-43512 has a CVSS score of 9.8, which is Critical severity. CVE-2026-43515 has a CVSS score of 9.1, which is Critical severity.

The update addresses improper input validation, digest authentication bypass, and improper authorization when multiple method constraints define an HTTP method for the same extension. Successful exploitation could allow attackers to bypass authentication or authorization controls and gain access beyond intended restrictions. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Apache Tomcat
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-20
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.