CVE-2026-42498

CVE-2026-42498

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Published May 13, 2026

Apache · Announcement openwall.com

CVSS ScoreHigh

8.7

Vulnerabilities

CVE-2026-42498

Published May 13, 2026

Apache · Announcement openwall.com

CVSS ScoreHigh

8.7

CVE-2026-42498 Security Details

CVE ID: CVE-2026-42498
CWE: CWE-200
CVE Description: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
Published: May 13, 2026
CVSS Score & Severity: 8.7High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score: 0.117%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/tomcat/websocket/WsWebSocketContainer.connectToServerRecursive(Lorg/apache/tomcat/websocket/ClientEndpointHolder;Ljavax/websocket/ClientEndpointConfig;Ljava/net/URI;Ljava/util/Set;)Ljavax/websocket/Session;
JVMVulnerable params: 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: Apache · AnnouncementPROJECT
openwall.comTHIRD_PARTY

CVE-2026-42498 Security Details

CVE ID: CVE-2026-42498
CWE: CWE-200
CVE Description: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
Published: May 13, 2026
CVSS Score & Severity: 8.7High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score: 0.117%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/apache/tomcat/websocket/WsWebSocketContainer.connectToServerRecursive(Lorg/apache/tomcat/websocket/ClientEndpointHolder;Ljavax/websocket/ClientEndpointConfig;Ljava/net/URI;Ljava/util/Set;)Ljavax/websocket/Session;
JVMVulnerable params: 1
Affected Ecosystems: affected
Source: National Vulnerability Database
References: Apache · AnnouncementPROJECT
openwall.comTHIRD_PARTY

Find vulnerabilities. Fix fast with AI.

CVE-2026-42498

CVE-2026-42498 Security Details

CVE-2026-42498 Security Details