BIT-tomcat-2026-42498

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-42498.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-tomcat-2026-42498

Aliases

CVE-2026-42498
GHSA-fv25-8xcx-gqjc

Published

2026-05-14T11:56:44.150Z

Modified

2026-05-18T20:56:05.210993176Z

Summary

Apache Tomcat: WebSocket authentication header exposure

Details

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0 through 11.0.21, from 10.1.0 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / tomcat

Package

Name: tomcat
Purl: pkg:bitnami/tomcat

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

10.0.0

Fixed

10.1.55

Introduced

11.0.0

Fixed

11.0.22

Introduced

9.0.0

Fixed

9.0.118

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-42498.json"