CVE-2026-53404
Summary
by MITRE • 06/29/2026
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/29/2026
The vulnerability described represents a critical control flow implementation flaw in Apache Tomcat's rewrite valve component that fundamentally undermines the intended logic of conditional rewriting rules. This issue manifests as an incorrect interpretation of logical OR chains within rewrite conditions, creating a scenario where the system processes only the first matching condition in an OR sequence while completely bypassing all subsequent conditions regardless of their logical necessity or correctness. The flaw stems from improper handling of control flow execution paths, where the rewrite valve fails to properly evaluate all conditions in a logical chain, leading to unexpected behavior in URL rewriting operations.
From a technical perspective, this vulnerability resides in the core logic implementation of Tomcat's mod_rewrite functionality, specifically within how the rewrite valve processes conditional statements. The flaw operates at the instruction execution level where the system prematurely terminates evaluation of subsequent conditions once a match is found in an OR chain, effectively creating a path traversal vulnerability that can be exploited to bypass intended access controls or rewrite rules. This issue directly relates to CWE-691 which describes insufficient control flow management and improper handling of logical operators in conditional logic implementations.
The operational impact of this vulnerability extends beyond simple URL rewriting failures to potentially compromise application security through unintended access patterns. When attackers can manipulate rewrite conditions to exploit the incorrect control flow implementation, they may bypass authentication mechanisms, access restricted resources, or redirect traffic through unintended pathways. The vulnerability affects multiple major versions of Tomcat including the latest releases, indicating a long-standing issue that has persisted across different code bases and release cycles. This widespread impact suggests that organizations running these affected versions may be experiencing unexpected behavior in their URL rewriting configurations.
The remediation strategy involves upgrading to specific patched versions where the control flow implementation has been corrected to properly evaluate all conditions in logical chains. Version 11.0.23, 10.1.56, and 9.0.119 contain fixes that ensure proper evaluation of all conditional statements regardless of their position within OR chains. Organizations should prioritize these upgrades as part of their vulnerability management processes, particularly given the potential for exploitation in environments where URL rewriting is used for access control or traffic management purposes. The fix addresses the root cause by implementing proper control flow logic that maintains expected evaluation sequences and prevents premature termination of conditional processing.
This vulnerability demonstrates the critical importance of proper logical operator handling in security-sensitive components and aligns with ATT&CK techniques related to privilege escalation through configuration flaws. The issue represents a classic example of how seemingly minor implementation errors in control flow logic can create significant security implications, particularly in web application servers where URL rewriting functionality is commonly used for access control and traffic management purposes. Organizations should also consider implementing additional monitoring around rewrite rule configurations to detect anomalous behavior that might indicate exploitation attempts.