External risk intelligence

Attacker can gain admin control of Apache Tomcat due to authorization flaw

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-43515

Apache Tomcat has a critical flaw allowing unauthorized access to applications. This issue affects web servers when authorization rules are misconfigured, potentially exposing sensitive data and allowing unauthorized actions.

4Halo Surface Signal

Apache Tomcat

7.0.0 to 7.0.1098.5.0 to 8.5.1009.0.0 to before 9.0.11810.1.0 to before 10.1.5511.0.0 to before 11.0.22

External exposure likelihood

Halo Surface Signal score for CVE-2026-43515

Apache Tomcat is a standard application server designed to host web applications and APIs. Given its primary role as an internet-facing service in many architectures, it is commonly accessible to external network traffic, making vulnerabilities in its request authorization and access control logic highly reachable from the internet.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Apache Tomcat could allow unauthorized access to your applications. It arises when multiple configurations incorrectly define how HTTP methods are handled for the same file extension, potentially bypassing intended access controls. This warrants attention because it impacts critical web server functionality.

Could lead to data breaches or unauthorized actions.
Affects systems running various Apache Tomcat versions.
Accessible from the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by sending specially crafted HTTP requests to a vulnerable Apache Tomcat server. This could allow them to bypass authorization checks and access or modify resources they should not have access to.

No authentication required.
Targets HTTP method constraints.
Exploitable via network requests.

Live Threat

Current exploitation, exposure, and threat context

This Improper Authorization vulnerability in Apache Tomcat impacts numerous versions and allows for exploitation without authentication. Attackers may find this appealing due to the widespread use of Tomcat in web application hosting, which offers a large attack surface. The vulnerability is rated CRITICAL and could be leveraged for significant system compromise.

Unauthenticated network exploitation possible.
Affects multiple Tomcat versions.
Published May 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading Apache Tomcat to patched versions to address the critical Improper Authorization vulnerability. If immediate patching is not feasible, implement strict firewall rules to block potentially malicious HTTP methods targeting specific file extensions and monitor traffic for unusual patterns.

Upgrade to Tomcat 11.0.22, 10.1.55, or 9.0.118.
Block suspicious HTTP methods.
Monitor for exploitation attempts.

Frequently asked questions

What is Apache Tomcat and its purpose?

Apache Tomcat is a widely adopted open-source application server. It serves as both a web server and a servlet container, enabling the execution of Java-based web applications and the delivery of dynamic content to users.

How does CVE-2026-43515 enable unauthorized access via Improper Authorization?

CVE-2026-43515 is an Improper Authorization vulnerability. It arises when Tomcat's configurations incorrectly specify which HTTP methods (e.g., GET, POST) are permitted for a given file extension, potentially allowing attackers to circumvent access restrictions.

What are the conditions for an attacker to exploit this vulnerability?

An attacker can exploit this vulnerability by sending crafted HTTP requests to a vulnerable Apache Tomcat server. This allows them to bypass authorization checks and gain access to or alter resources they are not permitted to interact with. Exploitation does not require authentication and is achievable over a network.

What is the relevance of CVE-2026-43515, as per Halo Surface Signal?

Halo classifies this CVE as external and likely exploitable. Apache Tomcat is commonly used as an internet-facing service, making vulnerabilities in its access control logic highly reachable from external networks, indicating a significant risk.

What actions should be taken to address this vulnerability?

To mitigate this vulnerability, it is recommended to upgrade Apache Tomcat to version 11.0.22, 10.1.55, or 9.0.118. If immediate upgrading is not possible, consider implementing strict firewall rules to block suspicious HTTP methods targeting specific file extensions and actively monitor network traffic for unusual patterns.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.