Zero Day MonitorZDM

← Back to list

—

CVE-2026-42498EXPLOITEDPATCHED

apache · tomcat

Apache Tomcat: WebSocket authentication header exposure

Description

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Affected Products

Vendor	Product	Versions
apache	tomcat	11.0.0-M1, 10.1.0-M1, 9.0.2, 8.5.24, 7.0.83

References

https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb(vendor-advisory)

Related News (3 articles)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-42498 | Apache Tomcat up to 11.0.21 WebSocket Authentication information disclosure

→ No new info (linked only)

Tier C

oss-security2d ago

CVE-2026-42498: Apache Tomcat: WebSocket authentication header exposure

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb

CWECWE-200

PublishedMay 12, 2026

Last enriched1d agov3

Tags

CVE-2026-42498

Trending Score52

Source articles3

Independent3

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

CRITICALCVE-2026-41293EXP

Apache Tomcat: HTTP/2 request headers not validated

CRITICALCVE-2026-43515EXP

Apache Tomcat: Security constraints not correctly applied

NONECVE-2026-41284EXP

Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling

HIGHCVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 12, 2026

Discovered by ZDM

May 12, 2026

Updated: severity

May 12, 2026

Updated: severity, activelyExploited, tags

May 12, 2026

Actively Exploited

May 13, 2026

Patch Available

May 13, 2026

Version History

v3

Last enriched 1d ago

v3Tier C1d ago

Updated severity to MEDIUM, marked as actively exploited, and added CVE ID CVE-2026-42498.

severityactivelyExploitedtags

via VulDB

v2Tier C1d ago

Updated severity from NONE to LOW and set patchAvailable to null.

severity

via oss-security

v11d ago

Initial creation