Improper Handling of Case Sensitivity in Apache Tomcat
CVE-2026-43513

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-43513?

The Apache Tomcat server is affected by a vulnerability that arises from improper handling of case sensitivity within the LockOutRealm component. This flaw may allow unauthorized access or result in refusal of service due to incorrect validation of user credentials. Affected versions range from 11.0.0-M1 through 11.0.21, and similar versions down to 7.0.0. Users are encouraged to upgrade to versions 11.0.22, 10.1.55, or 9.0.118, which rectify this security flaw.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.21

Apache Tomcat 10.1.0-M1 <= 10.1.54

Apache Tomcat 9.0.0.M1 <= 9.0.117

References

https://lists.apache.org/thread/ytjcgldshj73lcnd1sh95od5h...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43513 Data

JSON