Control Flow Vulnerability in Apache Tomcat's Rewrite Valve
CVE-2026-53404

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-53404?

A vulnerability in the rewrite valve of Apache Tomcat results in incorrect control flow implementation. Specifically, if the first condition in an OR chain evaluates to true, subsequent non-OR conditions are bypassed, potentially leading to unintended behaviors in request handling. This issue impacts multiple versions of Apache Tomcat, meaning that users should take immediate action to upgrade to patched versions 11.0.23, 10.1.56, or 9.0.119 to mitigate risks associated with this vulnerability.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.22

Apache Tomcat 10.1.0-M1 <= 10.1.55

Apache Tomcat 9.0.0.M1 <= 9.0.118

References

https://lists.apache.org/thread/rdhpghgfskrdmw9hqzjgjrtw5...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-53404 Data

JSON