Timing Discrepancy Vulnerability in Apache Tomcat
CVE-2026-43514

3.7LOW

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-43514?

An observable timing discrepancy vulnerability exists in Apache Tomcat due to improper handling when comparing AJP secrets. This issue can lead to potential information disclosure, enabling attackers to exploit timing variations and infer sensitive information. Users are strongly encouraged to update to the patched versions (11.0.22, 10.1.55, or 9.0.118) to mitigate risks associated with this vulnerability. Older unsupported versions might also be susceptible to similar issues.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.21

Apache Tomcat 10.1.0-M1 <= 10.1.54

Apache Tomcat 9.0.0.M1 <= 9.0.117

References

https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y3...

vendor-advisory

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43514 Data

JSON