Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
CVE-2026-55276: Apache Tomcat: Missing Security Roles in Error Logs
CVE-2026-55276
BIT-tomcat-2026-55276
Summary
A security issue in Apache Tomcat could lead to sensitive information being left out of error logs, potentially exposing security settings. Affected versions of Apache Tomcat should be upgraded to the latest fixed versions to prevent this issue.
What to do
- Update tomcat to version 11.0.23.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | tomcat |
>= 11.0.0, < 11.0.23 Fix: upgrade to 11.0.23
|
Original title
Apache Tomcat: Logged effective web.xml is incomplete
Original description
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.
This issue affects Apache Tomcat: from 11.0.0 through 11.0.22, from 10.1.0 through 10.1.55, from 9.0.0 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
This issue affects Apache Tomcat: from 11.0.0 through 11.0.22, from 10.1.0 through 10.1.55, from 9.0.0 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.
Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Vulnerability type
CWE-670
Published: 6 Jul 2026 · Updated: 6 Jul 2026 · First seen: 29 Jun 2026