External risk intelligence

Apache Tomcat Security Constraint Bypass via URL Encoding Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-59083

Apache Tomcat is a web server and servlet container designed to host public-facing web applications and APIs. The rewrite valve is a core component often used at the edge of these deployments to manage URL routing, making this vulnerability directly exposed to public-internet traffic.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts Apache Tomcat, a widely used web server technology. It allows bypassing security restrictions due to improper handling of web addresses, potentially enabling unauthorized access to applications hosted on Tomcat. The main concern is confirming relevance and exposure to our environment.

  • Web addresses can be manipulated to bypass security.
  • Affects systems hosting public-facing applications.
  • Assess if our Tomcat instances are exposed.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to a vulnerable Apache Tomcat server. The server's rewrite valve, which processes URLs, incorrectly handles hex-encoded characters in URLs. This misinterpretation can allow an attacker to bypass configured security constraints, potentially leading to unauthorized access or other unintended actions.

  • No authentication or privileges needed.
  • Malicious URL request to rewrite valve.
  • Bypasses security constraints.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized access to restricted resources on systems running vulnerable Apache Tomcat versions when specific URL encoding configurations are used. When improperly handled, hexadecimal-encoded characters in URLs might bypass security constraints, potentially exposing sensitive information or allowing unauthorized actions.

  • System access to restricted resources.
  • Bypass of security constraints via URL encoding.
  • Unauthorized access to application data.

Operational Fix

Recommended remediation, mitigation, and detection steps

Security and infrastructure teams are most likely responsible for addressing this critical vulnerability in Apache Tomcat, especially since it's exposed to public internet traffic via the rewrite valve. The immediate first step is to identify all instances of affected Tomcat versions, determine their reachability and business criticality, and then confirm the accountable owner for remediation planning.

  • Infrastructure and security teams own this.
  • Verify affected Tomcat instances and exposure.
  • Plan risk-based remediation and vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Apache Tomcat?

Apache Tomcat is a widely used open-source web server and servlet container. Developers use it to host Java-based web applications and APIs, allowing them to process requests and deliver dynamic content to users. It acts as a foundational piece of infrastructure for many websites, sitting between the internet and the application code.

How does CVE-2026-59083 affect URL security?

This vulnerability, classified as Improper Handling of URL Encoding (CWE-177), happens when the rewrite valve misinterprets hexadecimal-encoded characters in a web address. Because the software fails to process these encoded characters correctly, it may allow a request to bypass security constraints that were intended to block unauthorized access to specific parts of a website.

Do I need special access to trigger this bug?

No, an attacker does not need authentication or specific user privileges to trigger this vulnerability. They simply need to send a specially crafted URL request to the server. Note that the bug relies on the rewrite valve's specific processing of hex encoding; simple, standard requests that do not involve this specific encoding behavior will not trigger the security bypass.

Is my server at risk if it is public-facing?

According to Halo Surface Signal, this vulnerability is considered highly relevant for public-facing servers. Because the rewrite valve is a core component often placed at the edge of deployments to manage URL routing, it is directly reachable by internet traffic. If your Tomcat instance is exposed to the public internet, it faces a higher likelihood of being targeted compared to internal-only systems.

When should I update my Tomcat software?

You should prioritize identifying all running instances of the affected versions (11.0.x, 10.1.x, 9.0.x, and 8.5.x) immediately. The primary response is to upgrade to the patched versions—11.0.24, 10.1.57, or 9.0.120—as soon as possible. Work with your infrastructure team to verify which instances are in use and plan a risk-based upgrade schedule to remove the vulnerability.

References