Apache Tomcat up to 9.0.81/9.0.118/10.1.55/11.0.22 error condition

Summaryinfo

A vulnerability identified as critical has been detected in Apache Tomcat up to 9.0.81/9.0.118/10.1.55/11.0.22. Affected by this issue is some unknown functionality. The manipulation leads to error condition. This vulnerability is referenced as CVE-2026-53434. Remote exploitation of the attack is possible. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Apache Tomcat up to 9.0.81/9.0.118/10.1.55/11.0.22. It has been rated as critical. This issue affects some unknown functionality. The manipulation with an unknown input leads to a error condition vulnerability. Using CWE to declare the problem leads to CWE-390. The product detects a specific error, but takes no actions to handle the error. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

The advisory is shared at lists.apache.org. The identification of this vulnerability is CVE-2026-53434 since 06/09/2026. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/30/2026).

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-40228). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

Version

• 9.0.0
• 9.0.1
• 9.0.2
• 9.0.3
• 9.0.4
• 9.0.5
• 9.0.6
• 9.0.7
• 9.0.8
• 9.0.9
• 9.0.10
• 9.0.11
• 9.0.12
• 9.0.13
• 9.0.14
• 9.0.15
• 9.0.16
• 9.0.17
• 9.0.18
• 9.0.19
• 9.0.20
• 9.0.21
• 9.0.22
• 9.0.23
• 9.0.24
• 9.0.25
• 9.0.26
• 9.0.27
• 9.0.28
• 9.0.29
• 9.0.30
• 9.0.31
• 9.0.32
• 9.0.33
• 9.0.34
• 9.0.35
• 9.0.36
• 9.0.37
• 9.0.38
• 9.0.39
• 9.0.40
• 9.0.41
• 9.0.42
• 9.0.43
• 9.0.44
• 9.0.45
• 9.0.46
• 9.0.47
• 9.0.48
• 9.0.49
• 9.0.50
• 9.0.51
• 9.0.52
• 9.0.53
• 9.0.54
• 9.0.55
• 9.0.56
• 9.0.57
• 9.0.58
• 9.0.59
• 9.0.60
• 9.0.61
• 9.0.62
• 9.0.63
• 9.0.64
• 9.0.65
• 9.0.66
• 9.0.67
• 9.0.68
• 9.0.69
• 9.0.70
• 9.0.71
• 9.0.72
• 9.0.73
• 9.0.74
• 9.0.75
• 9.0.76
• 9.0.77
• 9.0.78
• 9.0.79
• 9.0.80
• 9.0.81
• 9.0.118
• 10.1.0
• 10.1.1
• 10.1.2
• 10.1.3
• 10.1.4
• 10.1.5
• 10.1.6
• 10.1.7
• 10.1.8
• 10.1.9
• 10.1.10
• 10.1.11
• 10.1.12
• 10.1.13
• 10.1.14
• 10.1.15
• 10.1.16
• 10.1.17
• 10.1.18
• 10.1.19
• 10.1.20
• 10.1.21
• 10.1.22
• 10.1.23
• 10.1.24
• 10.1.25
• 10.1.26
• 10.1.27
• 10.1.28
• 10.1.29
• 10.1.30
• 10.1.31
• 10.1.32
• 10.1.33
• 10.1.34
• 10.1.35
• 10.1.36
• 10.1.37
• 10.1.38
• 10.1.39
• 10.1.40
• 10.1.41
• 10.1.42
• 10.1.43
• 10.1.44
• 10.1.45
• 10.1.46
• 10.1.47
• 10.1.48
• 10.1.49
• 10.1.50
• 10.1.51
• 10.1.52
• 10.1.53
• 10.1.54
• 10.1.55
• 11.0.0
• 11.0.1
• 11.0.2
• 11.0.3
• 11.0.4
• 11.0.5
• 11.0.6
• 11.0.7
• 11.0.8
• 11.0.9
• 11.0.10
• 11.0.11
• 11.0.12
• 11.0.13
• 11.0.14
• 11.0.15
• 11.0.16
• 11.0.17
• 11.0.18
• 11.0.19
• 11.0.20
• 11.0.21
• 11.0.22

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion