6.5

CVE-2026-55955

Apache Tomcat: EncryptInterceptor not protected against replay attacks

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version < 9.0.19
ApacheTomcat Version >= 10.1.0 < 10.1.56
ApacheTomcat Version >= 11.0.0 < 11.0.23
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.28% 0.198
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://lists.apache.org/thread/g4p5sf45p3f9r011pwqs9r54yd64s106
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/06/29/24
Third Party Advisory