PatchSiren cyber security CVE debrief
CVE-2026-55955 Apache CVE debrief
CVE-2026-55955 is an Improper Authentication vulnerability in Apache Tomcat that allows a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, or 9.0.119, which fixes the issue. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.
- Vendor
- Apache
- Product
- Tomcat
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-29
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-06-29
- Advisory updated
- 2026-07-10
Who should care
Users of Apache Tomcat versions from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109 should be aware of this vulnerability and take action to upgrade to a fixed version. This includes operators, platform administrators, vulnerability management teams, and security teams.
Technical summary
The vulnerability is caused by improper authentication in Apache Tomcat, allowing a replay attack against the EncryptionInterceptor in the cluster component. The CVSS score for this vulnerability is 6.5, with a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Affected versions include 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109.
Defensive priority
Medium priority should be given to upgrading to a fixed version of Apache Tomcat, as the vulnerability allows a replay attack against the EncryptionInterceptor in the cluster component.
Recommended defensive actions
- Upgrade to Apache Tomcat version 11.0.23, 10.1.56, or 9.0.119
- Review and update inventory of Apache Tomcat instances
- Monitor for potential replay attacks against the EncryptionInterceptor in the cluster component
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-29T21:16:45.490Z and was last modified on 2026-07-10T12:22:23.967Z. The NVD entry is currently Analyzed. The vulnerability affects multiple versions of Apache Tomcat, including 11.0.0-M1 through 11.0.22, 10.1.0-M1 through 10.1.55, 9.0.13 through 9.0.18, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users should verify their deployments and plan for upgrades or mitigations.
Official resources
-
CVE-2026-55955 CVE record
CVE.org
-
CVE-2026-55955 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-29T21:16:45.490Z and has not been modified since then. The NVD entry is currently Analyzed.