BIT-tomcat-2026-24733

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-24733.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-tomcat-2026-24733

Aliases

CVE-2026-24733
GHSA-qq5r-98hh-rxc9

Published

2026-02-20T09:52:58.708Z

Modified

2026-02-20T10:41:00.482290Z

Summary

Apache Tomcat: Security constraint bypass with HTTP/0.9

Details

Improper Input Validation vulnerability in Apache Tomcat.

Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.

Older, EOL versions are also affected.

Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.

Database specific

{
    "severity": "Unknown",
    "cpes": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / tomcat

Package

Name: tomcat
Purl: pkg:bitnami/tomcat

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.113

Introduced

10.1.0

Fixed

10.1.50

Introduced

11.0.0

Fixed

11.0.15

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-24733.json"