CVE-2026-43512

CRITICAL EPSS 65.3%

Published May 12, 20261mo ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published May 12, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

65.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-592

Affected Products 5

Vendor	Product	Version	Range
apache	tomcat	*	≥7.0.0 – ≤7.0.109
apache	tomcat	*	≥8.5.0 – ≤8.5.100
apache	tomcat	*	≥9.0.0 – <9.0.118
apache	tomcat	*	≥10.1.0 – <10.1.55
apache	tomcat	*	≥11.0.0 – <11.0.22

References 2

openwall.com http://www.openwall.com/lists/oss-security/2026/05/12/8

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.