Apache Tomcat Vulnerability Allows Security Constraint Bypass via HTTP/0.9 Requests
Apache Tomcat, a widely used Java application server, has disclosed a security vulnerability identified as CVE-2026-24733. This low-severity flaw enables attackers to bypass security constraints by exploiting HTTP/0.9 requests under specific configurations.
Understanding the Vulnerability
The core issue arises from Tomcat’s handling of HTTP/0.9 requests, an outdated protocol version that lacks support for methods beyond GET. In scenarios where security constraints are configured to allow HEAD requests but deny GET requests to certain URIs, an attacker can craft an HTTP/0.9-style HEAD request. Due to Tomcat’s method processing in this context, the server may inadvertently process the request as a GET, thereby circumventing the intended security restrictions.
Affected Versions
The vulnerability impacts multiple versions of Apache Tomcat across different branches:
– 11.x: Versions 11.0.0-M1 through 11.0.14
– 10.1.x: Versions 10.1.0-M1 through 10.1.49
– 9.0.x: Versions 9.0.0.M1 through 9.0.112
Older, end-of-life (EOL) versions are also susceptible. Organizations utilizing these versions are strongly advised to upgrade to supported releases to ensure security.
Mitigation Measures
To address this vulnerability, the Apache Software Foundation recommends upgrading to the following fixed versions:
– 11.x: Version 11.0.15 or later
– 10.1.x: Version 10.1.50 or later
– 9.0.x: Version 9.0.113 or later
In addition to upgrading, administrators should:
1. Review Security Constraints: Examine configurations to ensure that access control rules involving HEAD and GET methods are set as intended.
2. Assess Proxy and Load Balancer Configurations: Verify that any reverse proxies or load balancers in front of Tomcat instances do not permit unexpected protocol downgrades that could facilitate this bypass.
Broader Context
While this vulnerability is classified as low severity due to its specific exploit conditions, it underscores the importance of comprehensive security configurations. Attackers often seek out such nuanced flaws to gain unauthorized access, making it imperative for organizations to stay vigilant and proactive in their security practices.
Conclusion
Apache Tomcat’s disclosure of CVE-2026-24733 highlights the need for continuous monitoring and updating of server configurations. By promptly upgrading to the recommended versions and reviewing security settings, organizations can mitigate the risk posed by this vulnerability and maintain the integrity of their web applications.
