CVE-2026-59083 in Tomcat
Summary
by MITRE • 07/14/2026
Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/14/2026
The vulnerability under discussion represents a critical weakness in Apache Tomcat's rewrite valve component that enables attackers to bypass security constraints through improper handling of URL encoding mechanisms. This flaw specifically targets the processing of hexadecimal encoded URLs within the web server's request handling pipeline, creating a pathway for unauthorized access to protected resources. The vulnerability has been classified as an improper handling of URL encoding issue that affects multiple major versions of Apache Tomcat across its 11.x, 10.x, and 9.x release lines, with the affected range spanning from initial milestone releases through specific patch levels up to version 11.0.23, 10.1.56, and 9.0.119 respectively.
The technical root cause of this vulnerability lies in how Apache Tomcat's rewrite valve processes URL encoded requests containing hexadecimal characters. When the server encounters a request with hex encoding such as %xx sequences within URLs, the rewrite valve fails to properly normalize or validate these encoded components against security constraints. This processing gap allows attackers to craft malicious requests where encoded path segments bypass the intended access control mechanisms that should restrict access to sensitive resources. The flaw essentially creates a condition where the server's security enforcement logic operates on different representations of the same resource path, enabling privilege escalation and unauthorized data access.
The operational impact of this vulnerability extends beyond simple access control bypasses as it can enable attackers to traverse directory structures, access restricted administrative interfaces, or retrieve confidential data that should be protected by security constraints. This weakness particularly affects applications that rely heavily on URL rewriting for routing logic while simultaneously implementing security measures based on path-based access controls. The vulnerability is especially concerning because it operates at the HTTP request processing layer where legitimate and malicious traffic cannot be easily distinguished based on encoding patterns alone, making detection and prevention challenging within existing security monitoring systems.
Security practitioners should note that this vulnerability aligns with CWE-185, which addresses improper handling of regular expressions and similar parsing issues in web applications. The flaw also maps to ATT&CK technique T1078.004 for valid accounts and T1566.001 for malicious file execution through web application vulnerabilities. Organizations implementing Apache Tomcat as their primary web server platform must prioritize immediate patching of affected versions, with recommended upgrades to 11.0.24, 10.1.57, or 9.0.120. Mitigation strategies should include thorough review of existing security constraints and URL rewriting rules, implementation of additional input validation layers, and enhanced monitoring for unusual URL encoding patterns that could indicate exploitation attempts.
The remediation approach requires careful consideration of application compatibility since the fix may alter how certain URL rewriting scenarios are processed. Administrators should conduct comprehensive testing of all rewrite rules and access control configurations following patch deployment to ensure that legitimate application functionality remains intact while security protections are properly restored. Organizations should also implement automated monitoring for suspicious URL encoding patterns and establish incident response procedures specifically addressing potential exploitation attempts leveraging this vulnerability type, as the nature of URL encoding bypasses can be subtle and difficult to detect through standard security scanning tools.