Apache Tomcat Control Flow Issue Affecting Multiple Versions
CVE-2026-55276

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-55276?

A vulnerability in Apache Tomcat allows for improper control flow implementations that result in special roles and empty authorization constraints being excluded from logs generated from the effective web.xml file. This oversight could potentially lead to security risks, as essential authorization information may not be accurately captured or monitored. Users are encouraged to apply the security updates by upgrading to versions 11.0.23, 10.1.56, or 9.0.119 to mitigate this issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.22

Apache Tomcat 10.1.0-M1 <= 10.1.55

Apache Tomcat 9.0.0.M1 <= 9.0.118

References

https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf9...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55276 Data

JSON