OESA-2026-2296

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-2296
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-2296
Upstream
  • CVE-2026-41284
  • CVE-2026-41293
  • CVE-2026-42498
  • CVE-2026-43512
  • CVE-2026-43513
  • CVE-2026-43514
  • CVE-2026-43515
Published
2026-05-15T14:00:09Z
Modified
2026-05-15T14:15:07.615819Z
Summary
tomcat security update
Details

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

Security Fix(es):

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.(CVE-2026-41284)

Improper Input Validation vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.(CVE-2026-41293)

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.(CVE-2026-42498)

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.(CVE-2026-43512)

Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.(CVE-2026-43513)

Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.(CVE-2026-43514)

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.(CVE-2026-43515)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP4
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.118-1.oe2003sp4

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.118-1.oe2003sp4.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2003sp4.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.118-1.oe2003sp4.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json"
openEuler:22.03-LTS-SP4
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.118-1.oe2203sp4

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.118-1.oe2203sp4.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2203sp4.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.118-1.oe2203sp4.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json"
openEuler:24.03-LTS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.118-1.oe2403sp3

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.118-1.oe2403.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2403.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2403.noarch.rpm",
        "tomcat-9.0.118-1.oe2403sp1.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2403sp1.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2403sp1.noarch.rpm",
        "tomcat-9.0.118-1.oe2403sp3.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2403sp3.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2403sp3.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.118-1.oe2403.src.rpm",
        "tomcat-9.0.118-1.oe2403sp1.src.rpm",
        "tomcat-9.0.118-1.oe2403sp3.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json"
openEuler:24.03-LTS-SP1
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.118-1.oe2403sp1

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.118-1.oe2403sp1.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2403sp1.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2403sp1.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.118-1.oe2403sp1.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json"
openEuler:24.03-LTS-SP3
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.118-1.oe2403sp3

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.118-1.oe2403sp3.noarch.rpm",
        "tomcat-help-9.0.118-1.oe2403sp3.noarch.rpm",
        "tomcat-jsvc-9.0.118-1.oe2403sp3.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.118-1.oe2403sp3.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-2296.json"