7.3

CVE-2026-42498

EPSS 0.1%
Veröffentlicht 12.05.2026 15:17:56
Zuletzt bearbeitet 14.05.2026 18:51:59
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Tomcat: WebSocket authentication header exposure

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.

Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 5 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 7.0.0 <= 7.0.109

Apache ≫ Tomcat Version >= 8.5.0 <= 8.5.100

Apache ≫ Tomcat Version >= 9.0.0 < 9.0.118

Apache ≫ Tomcat Version >= 10.1.0 < 10.1.55

Apache ≫ Tomcat Version >= 11.0.0 < 11.0.22

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.268

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/12/14

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-42498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42498

EUVD