Four Critical Tomcat Vulnerabilities Expose DoS, RCE, and Auth Bypass Risks
Ubuntu security advisory USN-8450-1 addresses four vulnerabilities in Apache Tomcat affecting memory consumption, HTTP/2 validation, credential exposure, and authorization enforcement. Organizations running Tomcat should prioritize patching to mitigate denial-of-service, remote code execution, and access control bypass threats.
TL;DR
- CVE-2026-41284: Unbounded WebDAV request bodies enable memory exhaustion DoS attacks
- CVE-2026-41293: HTTP/2 header validation flaw permits crashes and potential arbitrary code execution
- CVE-2026-42498: Authentication headers leak during WebSocket upgrades and redirects
- CVE-2026-43515: Multiple method constraints allow authorization bypass for protected resources
Apache Tomcat users face a critical security window with the release of Ubuntu security notice USN-8450-1, which documents four distinct vulnerabilities spanning denial-of-service, remote code execution, information disclosure, and access control bypass vectors. These flaws affect core Tomcat functionality including WebDAV request handling, HTTP/2 protocol processing, WebSocket connection management, and authorization constraint evaluation.
The vulnerabilities range from moderate to severe in impact. Memory exhaustion attacks via oversized WebDAV requests can degrade availability, while HTTP/2 header validation failures create pathways for remote code execution. Credential leakage during protocol transitions and authorization logic gaps further expand the attack surface for compromised deployments.
Denial-of-Service and Resource Exhaustion
- CVE-2026-41284 exploits missing request body size limits on WebDAV LOCK and PROPFIND operations
- Attackers can craft oversized payloads to trigger unbounded memory allocation in Tomcat processes
- Sustained attacks lead to service unavailability and potential cascading failures in dependent applications
Remote Code Execution via HTTP/2 Protocol Flaw
- CVE-2026-41293 stems from inadequate validation of HTTP/2 header fields during request parsing
- Malformed headers can trigger crashes or corrupt Tomcat's execution state, enabling code injection
- This vector is particularly dangerous in load-balanced environments where Tomcat processes untrusted external traffic
Authentication Credential Exposure
- CVE-2026-42498 affects HTTP authentication header handling during WebSocket protocol upgrades and HTTP redirects
- Credentials remain in request headers and propagate to downstream systems or are exposed in logs
- Attackers intercepting or logging these transitions can harvest session tokens and authentication material
Authorization Bypass Through Constraint Logic
- CVE-2026-43515 occurs when multiple method constraints define overlapping HTTP method rules (GET, POST, etc.)
- Tomcat's authorization evaluation fails to properly enforce all applicable constraints, allowing unauthorized access
- Protected resources become accessible to unauthenticated or under-privileged users depending on constraint configuration
Remediation and Risk Assessment
- Apply Ubuntu security patches immediately; verify Tomcat version against USN-8450-1 advisory
- Audit WebDAV configurations and disable if not required; implement request size limits at reverse proxy layer
- Review HTTP/2 and WebSocket usage; consider disabling until patches are deployed
- Rotate credentials and audit access logs for evidence of exploitation
- Test authorization constraints post-patch to confirm proper enforcement of method-level access controls
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.