VDB
CVE-2026-42498
CVE-2026-42498
PUBLISHED
CVSS 7.300000190734863 HIGH
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
EPSS 0.05% · 15.9th percentile
Risk Scores
CVSS v3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score
0.05%
15.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache Software Foundation | Apache Tomcat | 9.0.2, 8.5.24, 10.1.0-M1 |
Timeline
- May 12, 2026 CVE Published
- May 13, 2026 Security Advisory
- May 18, 2026 CVE Updated
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score
- May 25, 2026 EPSS Score
- May 26, 2026 EPSS Score
References
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118 advisory
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.55 advisory
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22 advisory
- https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb vendor-advisory
- http://www.openwall.com/lists/oss-security/2026/05/12/14 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-42498 advisory