CVE-2026-24733

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.14 Apache Tomcat versions 10.1.0-M1 through 10.1.49 Apache Tomcat versions 9.0.0-M1 through 9.0.112 Older, End-of-Life (EOL) versions are also affected

Description Apache Tomcat does not properly limit HTTP/0.9 requests to the GET method. This allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to allow HEAD requests to a Uniform Resource Identifier (URI) but denies GET requests to the same URI, a user can circumvent this restriction on GET requests by sending a specification-invalid HEAD request using HTTP/0.9. This is achieved by sending a crafted HTTP/0.9-style request that bypasses the intended enforcement of security constraints. The issue occurs when a Tomcat security constraint allows HEAD requests while denying GET requests to the same URI.

Recommendations Upgrade to Apache Tomcat version 11.0.15 or later. Upgrade to Apache Tomcat version 10.1.50 or later. Upgrade to Apache Tomcat version 9.0.113 or later.