Vulnerabilities in Apache Tomcat Apache Tomcat has revealed CVE-2026-24733, a Low-severity security constraint bypass that can be activated through HTTP/0.9 requests if specific access-control rules are set up in a particular manner This article explores vulnerabilities apache tomcat. . The issue was discovered by the Apache Tomcat security team, and on 2026-02-17, the initial advisory was released.

The vulnerability is primarily caused by Tomcat's failure to limit HTTP/0.9 requests to the GET method. Rarely used today, HTTP/0.9 is an outdated, minimal protocol variant that predates current method and header handling expectations. However, Tomcat's method handling can result in an unanticipated weakness in the enforcement of security constraints if an attacker manages to get to a Tomcat instance and send crafted HTTP/0.9-style traffic.

When a Tomcat security constraint is set up to permit HEAD requests to a specific URI but prohibit GET requests to the same URI, the bypass takes place. That rule set would stop the resource body from being retrieved using GET under standard HTTP versions. CVE-2026-24733 allows an attacker to circumvent the configured constraint for GET requests by sending a specification-invalid HEAD request via HTTP/0.9.

Because it necessitates a specific constraint configuration (HEAD permitted, GET denied) and an attack path where HTTP/0.9 parsing is accepted end-to-end, this problem is situational by design. Nevertheless, it is important for legacy integrations, unique clients, and certain proxy/topology combinations where protocol normalization might not go as planned.

Versions Affected and Countermeasures The impacted ranges include both older end-of-life releases and currently maintained Tomcat branches. Since it might not be feasible to safely backport security fixes, organizations using EOL versions should take this as a reminder to switch to a supported branch. Affected Tomcat branch versions Version 11 11.0.0-M1 was fixed to 11.0.14 11.0.15+ 10.1 10.1.0-M1 to 10.1.49 10.1.50+ 9.0 9.0.0.M1 to 9.0.112 9.0.113+ Elderly (EOL) Upgrade to a supported branch is also impacted; Apache advises updating to the above-mentioned fixed releases.

Teams should also check the access-control intent regarding HEAD versus GET on protected endpoints as a practical hardening step, and confirm that any load balancers or fronting reverse proxies do not permit unexpected protocol downgrade behavior., LinkedIn, and X for daily cybersecurity updates.

To have your stories featured, get in touch with us.