PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55955 Apache CVE debrief

CVE-2026-55955 is an Improper Authentication vulnerability in Apache Tomcat that allows a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, or 9.0.119, which fixes the issue. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.

Vendor
Apache
Product
Tomcat
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-29
Original CVE updated
2026-07-10
Advisory published
2026-06-29
Advisory updated
2026-07-10

Who should care

Users of Apache Tomcat versions from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109 should be aware of this vulnerability and take action to upgrade to a fixed version. This includes operators, platform administrators, vulnerability management teams, and security teams.

Technical summary

The vulnerability is caused by improper authentication in Apache Tomcat, allowing a replay attack against the EncryptionInterceptor in the cluster component. The CVSS score for this vulnerability is 6.5, with a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Affected versions include 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109.

Defensive priority

Medium priority should be given to upgrading to a fixed version of Apache Tomcat, as the vulnerability allows a replay attack against the EncryptionInterceptor in the cluster component.

Recommended defensive actions

  • Upgrade to Apache Tomcat version 11.0.23, 10.1.56, or 9.0.119
  • Review and update inventory of Apache Tomcat instances
  • Monitor for potential replay attacks against the EncryptionInterceptor in the cluster component
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-29T21:16:45.490Z and was last modified on 2026-07-10T12:22:23.967Z. The NVD entry is currently Analyzed. The vulnerability affects multiple versions of Apache Tomcat, including 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users should verify their deployments and plan for upgrades or mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-29T21:16:45.490Z and has not been modified since then. The NVD entry is currently Analyzed.