Improper Input Validation in Apache Tomcat Affects Multiple Versions
CVE-2025-66614

7.6HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 17 February 2026

What is CVE-2025-66614?

An improper input validation vulnerability exists in Apache Tomcat, which affects specific versions. This issue arises when the host name provided via the SNI extension differs from the host name in the HTTP host header field. In configurations with multiple virtual hosts, if certificate authentication is not consistently applied, it can be possible for clients to evade security measures by manipulating these fields. This primarily affects configurations where certificate authentication is enforced at the Connector level but not at the web application level. To mitigate risks, users should upgrade to versions 11.0.15, 10.1.50, or 9.0.113 and above.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.14

Apache Tomcat 10.1.0-M1 <= 10.1.49

Apache Tomcat 9.0.0-M1 <= 9.0.112

References

https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1fl...

vendor-advisory

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2026
Vulnerability Reserved
Dec 5, 2025

CVE-2025-66614 Data

JSON