← Back to blog

Critical Tomcat Flaws Enable DoS, Auth Bypass, and Credential Theft

Ubuntu security advisory USN-8417-1 addresses six vulnerabilities in Apache Tomcat affecting memory exhaustion, HTTP/2 validation, authentication bypass, and WebSocket credential leakage. Organizations running Tomcat should prioritize patching to mitigate remote attack vectors.

TL;DR

  • WebDAV request body limits missing; attackers can trigger memory exhaustion and denial of service
  • HTTP/2 header validation flaw may allow remote code execution or server crashes
  • Authentication headers leak during WebSocket upgrades and redirects, exposing credentials
  • Digest authentication and LockOutRealm case-sensitivity issues enable auth bypass
  • Multiple method constraint handling flaw weakens authorization controls

Ubuntu has released security notice USN-8417-1 documenting six vulnerabilities in Apache Tomcat that span multiple attack surfaces: resource exhaustion, protocol handling, credential management, and access control. These flaws affect the widely-deployed Java application server and pose significant risk to organizations relying on Tomcat for production workloads.

The vulnerabilities range from denial-of-service conditions triggered by oversized WebDAV requests to authentication bypass issues in digest authentication and account lockout mechanisms. Most critically, improper header handling during WebSocket upgrades and HTTP/2 processing could enable remote code execution or credential disclosure.

Denial of Service and Resource Exhaustion

  • CVE-2026-41284: Tomcat fails to enforce request body size limits on WebDAV LOCK and PROPFIND operations, allowing attackers to exhaust server memory
  • Uncontrolled memory consumption leads to application unavailability and potential cascading failures in multi-tenant environments
  • Affects deployments exposing WebDAV functionality without external request filtering

Authentication and Credential Leakage

  • CVE-2026-42498: HTTP authentication headers persist during WebSocket connection upgrades and HTTP redirects, exposing sensitive credentials to network observers
  • CVE-2026-43512: Digest authentication validation flaws permit attackers to bypass authentication restrictions
  • CVE-2026-43513: LockOutRealm case-sensitivity handling allows attackers to circumvent account lockout protections and potentially access sensitive information

Protocol and Authorization Flaws

  • CVE-2026-41293: Improper HTTP/2 header field validation may trigger server crashes or remote code execution
  • Incomplete authorization constraint evaluation when multiple method constraints define the same HTTP method weakens access control enforcement
  • These flaws affect core protocol handling and request routing logic

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Critical Tomcat Flaws Enable DoS, Auth Bypass, and Credential Theft — Agent Breach Blog | Agent Breach