HomeDefault status
unaffected
11.0.0-M1 (semver)
affected
10.1.0-M1 (semver)
affected
9.0.2 (semver)
affected
8.5.24 (semver)
affected
7.0.83 (semver)
affected
Description
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
Problem types
CWE-200 Exposure of HTTP Authentication Header to unexpected hosts
Product status
11.0.0-M1 (semver)
10.1.0-M1 (semver)
9.0.2 (semver)
8.5.24 (semver)
7.0.83 (semver)
Credits
lokerxx
References
www.openwall.com/lists/oss-security/2026/05/12/14
lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb