Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed CVE-2026-43512, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is "null". The flaw affects multiple supported branches, including Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, and 9.0.0.M1 through 9.0.117, with older unsupported releases potentially affected. Apache advised users to upgrade to 11.0.22+, 10.1.55+, or 9.0.118+.
Apache also disclosed CVE-2026-44417, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for CVE-2025-48913. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport 4.2.0 before 4.2.1, 4.0.0 before 4.1.6, and all 3.6.x versions before 3.6.11; Apache said organizations should upgrade to 4.2.1, 4.1.6, or 3.6.11.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Apache publishes patched CXF versions for CVE-2026-44417
Apache recommended upgrading Apache CXF JMS transport to versions 4.2.1, 4.1.6, or 3.6.11 to address CVE-2026-44417. The 2026-05-22 advisory credited exploitintel/@exploit_intel with finding the issue.
Apache discloses Apache CXF incomplete fix flaw (CVE-2026-44417)
On 2026-05-22, Apache disclosed CVE-2026-44417, a moderate-severity vulnerability in Apache CXF's JMS transport caused by an incomplete fix for CVE-2025-48913. The remaining code path could still allow remote code execution when untrusted users are permitted to configure JMS.
Apache releases fixed Tomcat versions for CVE-2026-43512
Apache advised users to upgrade Tomcat to 11.0.22, 10.1.55, or 9.0.118 to remediate CVE-2026-43512. These fixed releases were identified in the 2026-05-12 security advisory.
Apache discloses Tomcat digest authentication bypass (CVE-2026-43512)
On 2026-05-12, Apache disclosed CVE-2026-43512, a moderate-severity flaw in Tomcat's DIGEST authenticator that can authenticate unknown users when the presented password is "null." The issue affects supported Tomcat 11.0.x, 10.1.x, and 9.0.x release lines, with older unsupported versions potentially affected.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-44417: Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE)
seclists.org
Open sourceoss-sec: CVE-2026-43512: Apache Tomcat: Digest authenticator will authenticate any unknown user
seclists.org
Open source[SECURITY] CVE-2026-43512 Apache Tomcat - Digest authenticator will authenticate any unknown user-Apache Mail Archives
lists.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026
Apache Tomcat OCSP Validation Flaws Let CLIENT_CERT Authentication Fail Open
Apache disclosed two moderate-severity vulnerabilities, **CVE-2026-29145** and **CVE-2026-34500**, affecting **Apache Tomcat** and, in one case, **Apache Tomcat Native**, where OCSP-based certificate validation can sometimes **soft-fail even when soft-fail is disabled**. In affected deployments using `CLIENT_CERT` authentication, this can cause certificate checks not to fail as expected, potentially allowing authentication to proceed under conditions that should have been rejected. The first flaw impacts Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13; Tomcat through 8.5.100 was listed as unaffected. Apache said the second flaw, **CVE-2026-34500**, affects OCSP checking with **FFM** and extends to Tomcat 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. The project urged users to upgrade to fixed releases: for **CVE-2026-29145**, Tomcat 11.0.20, 10.1.53, or 9.0.116 and Tomcat Native 1.3.7 or 2.0.14; for **CVE-2026-34500**, Tomcat 11.0.21, 10.1.54, or 9.0.117. Apache credited **gregk4sec** with reporting CVE-2026-29145 and **Haruki Oyama of Waseda University** with reporting CVE-2026-34500.
Apr 10, 2026
Apache Tomcat Patches for URL Rewrite Bypass and Console Injection Vulnerabilities
Apache Tomcat released security updates addressing two critical vulnerabilities: a URL rewrite bypass (CVE-2025-55752) that could allow directory traversal and potential remote code execution (RCE) if the HTTP PUT method is enabled, and a console ANSI injection flaw (CVE-2025-55754) that could enable manipulation of log messages via escape sequences. The affected versions include Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.M11 to 9.0.108, with users and administrators urged to apply the necessary patches immediately to mitigate risk. The URL rewrite bypass vulnerability allows attackers to craft malicious requests that evade security controls, potentially leading to unauthorized file access or code execution on vulnerable servers. The console ANSI injection issue could be exploited to alter log output, possibly obscuring malicious activity or facilitating further attacks. Security advisories from both Apache and national cybersecurity authorities emphasize the importance of prompt remediation to prevent exploitation in the wild.
Mar 21, 2026