Apache Tomcat up to 11.0.22 web.xml control flow

Summaryinfo

A vulnerability labeled as critical has been found in Apache Tomcat up to 7.x/8.5.100/9.0.118/10.1.55/11.0.22. This affects an unknown part of the file web.xml. The manipulation results in control flow. This vulnerability is identified as CVE-2026-55276. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as critical has been found in Apache Tomcat up to 7.x/8.5.100/9.0.118/10.1.55/11.0.22. Affected is an unknown part of the file web.xml. The manipulation with an unknown input leads to a control flow vulnerability. CWE is classifying the issue as CWE-670. The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

The advisory is available at lists.apache.org. This vulnerability is traded as CVE-2026-55276 since 06/16/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. Technical details are known, but there is no available exploit. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 06/30/2026).

By approaching the search of inurl:web.xml it is possible to find vulnerable targets with Google Hacking.

Upgrading eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-40230). If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

Version

• 7.x
• 8.0
• 8.1
• 8.2
• 8.3
• 8.4
• 8.5.100
• 9.0.118
• 10.1.0
• 10.1.1
• 10.1.2
• 10.1.3
• 10.1.4
• 10.1.5
• 10.1.6
• 10.1.7
• 10.1.8
• 10.1.9
• 10.1.10
• 10.1.11
• 10.1.12
• 10.1.13
• 10.1.14
• 10.1.15
• 10.1.16
• 10.1.17
• 10.1.18
• 10.1.19
• 10.1.20
• 10.1.21
• 10.1.22
• 10.1.23
• 10.1.24
• 10.1.25
• 10.1.26
• 10.1.27
• 10.1.28
• 10.1.29
• 10.1.30
• 10.1.31
• 10.1.32
• 10.1.33
• 10.1.34
• 10.1.35
• 10.1.36
• 10.1.37
• 10.1.38
• 10.1.39
• 10.1.40
• 10.1.41
• 10.1.42
• 10.1.43
• 10.1.44
• 10.1.45
• 10.1.46
• 10.1.47
• 10.1.48
• 10.1.49
• 10.1.50
• 10.1.51
• 10.1.52
• 10.1.53
• 10.1.54
• 10.1.55
• 11.0.0
• 11.0.1
• 11.0.2
• 11.0.3
• 11.0.4
• 11.0.5
• 11.0.6
• 11.0.7
• 11.0.8
• 11.0.9
• 11.0.10
• 11.0.11
• 11.0.12
• 11.0.13
• 11.0.14
• 11.0.15
• 11.0.16
• 11.0.17
• 11.0.18
• 11.0.19
• 11.0.20
• 11.0.21
• 11.0.22

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion