Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Apache Tomcat: Unsecured Access to Sensitive Pages
UBUNTU-CVE-2026-43515
Summary
Apache Tomcat's authorization system has a flaw that could allow unauthorized users to access certain web pages. This affects multiple versions of Tomcat, including some that are still in use. To fix this, update to the latest version, such as 11.0.22, 10.1.55, or 9.0.118.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Ubuntu:Pro:14.04:LTS | canonical | tomcat6 | All versions |
| Ubuntu:Pro:14.04:LTS | canonical | tomcat7 | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | tomcat8 | All versions |
| Ubuntu:16.04:LTS | canonical | tomcat6 | All versions |
| Ubuntu:Pro:16.04:LTS | canonical | tomcat7 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | tomcat7 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | tomcat8 | All versions |
| Ubuntu:Pro:18.04:LTS | canonical | tomcat9 | All versions |
| Ubuntu:Pro:20.04:LTS | canonical | tomcat9 | All versions |
| Ubuntu:Pro:22.04:LTS | canonical | tomcat9 | All versions |
| Ubuntu:Pro:24.04:LTS | canonical | tomcat10 | All versions |
| Ubuntu:Pro:24.04:LTS | canonical | tomcat9 | All versions |
| Ubuntu:25.10 | canonical | tomcat10 | All versions |
| Ubuntu:25.10 | canonical | tomcat11 | All versions |
| Ubuntu:25.10 | canonical | tomcat9 | All versions |
| Ubuntu:26.04:LTS | canonical | tomcat10 | All versions |
| Ubuntu:26.04:LTS | canonical | tomcat11 | All versions |
| Ubuntu:26.04:LTS | canonical | tomcat9 | All versions |
Original title
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21...
Original description
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
osv CVSS3.1
9.1
- https://ubuntu.com/security/CVE-2026-43515 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-43515 Third Party Advisory
Published: 12 May 2026 · Updated: 2 Jun 2026 · First seen: 2 Jun 2026