Improper URL Encoding Handling in Apache Tomcat Affects Key Versions
CVE-2026-59083

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
14 July 2026

What is CVE-2026-59083?

A vulnerability exists in Apache Tomcat's rewrite valve that allows for security constraint bypass due to improper handling of URL encoding (hex encoding). This issue affects multiple versions of Apache Tomcat, potentially exposing applications to unauthorized access. It is critical for users to update to the latest versions (11.0.24, 10.1.57, or 9.0.120) to mitigate this risk.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.23

Apache Tomcat 10.1.0-M1 <= 10.1.56

Apache Tomcat 9.0.0.M1 <= 9.0.119

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.