Improper Authentication Vulnerability in Apache Tomcat
CVE-2026-55955

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-55955?

An improper authentication vulnerability exists in Apache Tomcat, enabling potential replay attacks targeting the EncryptionInterceptor within the cluster component. This issue affects a range of Apache Tomcat versions from 7.0.100 to 11.0.22. Users are strongly encouraged to update to the latest versions (11.0.23, 10.1.56, 9.0.119) to mitigate this vulnerability effectively.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.22

Apache Tomcat 10.1.0-M1 <= 10.1.55

Apache Tomcat 9.0.13 <= 9.0.118

References

https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54y...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 17, 2026

CVE-2026-55955 Data

JSON