Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2809 articles · 175116 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-43512PATCHED
apache · tomcat

Apache Tomcat: Digest authenticator will authenticate any unknown user

Description

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Affected Products

VendorProductVersions
apachetomcatmaven/org.apache.tomcat.embed:tomcat-embed-core: < 9.0.118, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 11.0.0-M1, < 11.0.22, maven/org.apache.tomcat:tomcat: < 9.0.118, maven/org.apache.tomcat:tomcat: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat:tomcat: >= 11.0.0-M1, < 11.0.22, maven/org.apache.tomcat:tomcat-catalina: < 9.0.118, maven/org.apache.tomcat:tomcat-catalina: >= 10.1.0-M1, < 10.1.55, maven/org.apache.tomcat:tomcat-catalina: >= 11.0.0-M1, < 11.0.22

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
atlassianjiracert_advisory90%
atlassiancruciblecert_advisory90%
atlassianbitbucketcert_advisory90%
atlassianconfluencecert_advisory90%
atlassianbamboocert_advisory90%

References

  • https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73(vendor-advisory)

Related News (7 articles)

Tier B
BSI Advisories3h ago
[NEU] [hoch] SAP Patch Day Juli 2026
→ No new info (linked only)
Tier D
Heise Security5h ago
SAP-Patchday: Teils kritische Sicherheitslücken in mehreren Produkten gefixt
→ No new info (linked only)
Tier B
CERT-FR26d ago
Multiples vulnérabilités dans les produits Atlassian (18 juin 2026)
→ No new info (linked only)
Tier B
BSI Advisories27d ago
[NEU] [hoch] Atlassian Bamboo, Bitbucket, Confluence, Fisheye, Crucible, Jira und Jira Service Management: Mehrere Schwachstellen
→ No new info (linked only)
Tier B
CERT-FR62d ago
Multiples vulnérabilités dans Apache Tomcat (13 mai 2026)
→ No new info (linked only)
Tier C
VulDB62d ago
CVE-2026-43512 | Apache Tomcat up to 11.0.21 authentication bypass issues
→ No new info (linked only)
Tier C
oss-security62d ago
CVE-2026-43512: Apache Tomcat: Digest authenticator will authenticate any unknown user
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited❌ No
Patch available
org.apache.tomcat.embed:tomcat-embed-core@9.0.118org.apache.tomcat.embed:tomcat-embed-core@10.1.55org.apache.tomcat.embed:tomcat-embed-core@11.0.22org.apache.tomcat:tomcat@9.0.118org.apache.tomcat:tomcat@10.1.55org.apache.tomcat:tomcat@11.0.22org.apache.tomcat:tomcat-catalina@9.0.118org.apache.tomcat:tomcat-catalina@10.1.55org.apache.tomcat:tomcat-catalina@11.0.22
CWECWE-287
PublishedMay 12, 2026
Last enriched62d agov3
Tags
CVE-2026-43512
Trending Score68
Source articles7
Independent5
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-41293EXP
Apache Tomcat: HTTP/2 request headers not validated
Trending: 87
NONECVE-2026-43515EXP
Apache Tomcat: Security constraints not correctly applied
Trending: 77
HIGHCVE-2026-40860EXP
Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp
Trending: 73
HIGHCVE-2026-59245EXP
Apache Airflow FAB provider: FAB auth manager: a DAG named "DAGs" hijacks the global all-DAGs permission (access_control privilege escalation via resource_name() collision)
Trending: 61
HIGHCVE-2026-58065EXP
Apache Airflow Git provider: Git provider hook defaults to StrictHostKeyChecking=no, disabling SSH host-key verification
Trending: 61

Pin to Dashboard

Verification

State: verified
Confidence: 0%

Vulnerability Timeline

CVE Published
May 12, 2026
Discovered by ZDM
May 12, 2026
Updated: affectedVersions
May 12, 2026
Updated: severity, tags
May 12, 2026
Patch Available
May 14, 2026

Version History

v3
Last enriched 62d ago
v3Tier C62d ago

Updated severity to CRITICAL, marked exploit availability as false, and added CVE-2026-43512 as a new tag.

severitytags
via VulDB
v2Tier C62d ago

Updated severity to MEDIUM, added affected version 7.0.109, and marked exploit availability and active exploitation as true.

affectedVersions
via oss-security
v162d ago

Initial creation