CVE-2026-42498

CVSS v3.1

7.3

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.21 Apache Tomcat versions 10.1.0-M1 through 10.1.54 Apache Tomcat versions 9.0.2 through 9.0.117 Apache Tomcat versions 8.5.24 through 8.5.100 Apache Tomcat versions 7.0.83 through 7.0.109

Description An issue exists where the HTTP Authentication Header is exposed to unexpected hosts during WebSocket authentication.

Recommendations Upgrade versions 11.0.0-M1 through 11.0.21 to 11.0.22. Upgrade versions 10.1.0-M1 through 10.1.54 to 10.1.55. Upgrade versions 9.0.2 through 9.0.117 to 9.0.118.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

BIT-TOMCAT-2026-42498

CVE-2026-42498

GHSA-FV25-8XCX-GQJC

OESA-2026-2296

OPENSUSE-SU-2026:10925-1

OPENSUSE-SU-2026:10926-1

OPENSUSE-SU-2026:10927-1

Affected Products

Apache Tomcat

CVE-2026-42498

Weakness Enumeration

Related Identifiers

Affected Products

References · 35