WebSocket Authentication Vulnerability in Apache Tomcat
CVE-2026-42498

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42498?

A vulnerability in Apache Tomcat allows for the unintended exposure of HTTP Authentication Headers to unexpected hosts during WebSocket authentication. This poses a significant security risk, potentially enabling unauthorized access to sensitive information. Affected versions include several releases across the 11.x, 10.x, 9.x, 8.x, and 7.x series. It is highly recommended for users to upgrade to the latest versions—11.0.22, 10.1.55, or 9.0.118—to mitigate this vulnerability effectively.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.21

Apache Tomcat 10.1.0-M1 <= 10.1.54

Apache Tomcat 9.0.2 <= 9.0.117

References

https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm...

vendor-advisory

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

lokerxx

CVE-2026-42498 Data

JSON