CVE-2026-24880
HTTP Request Smuggling in Apache Tomcat via Invalid Chunk Extension
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | tomcat | From 10.1.0 (inc) to 10.1.53 (exc) |
| apache | tomcat | From 11.0.0 (inc) to 11.0.20 (exc) |
| apache | tomcat | From 9.0.0 (inc) to 9.0.116 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Inconsistent Interpretation of HTTP Requests, also known as HTTP Request/Response Smuggling, in Apache Tomcat. It occurs due to invalid chunk extensions in HTTP requests, which can cause the server to misinterpret the boundaries of HTTP messages.
How can this vulnerability impact me? :
The vulnerability can allow attackers to smuggle HTTP requests or responses, potentially bypassing security controls, interfering with web traffic, or causing unexpected behavior in the server. This can lead to security risks such as unauthorized access, data manipulation, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Tomcat to versions 11.0.20, 10.1.52, or 9.0.116, which fix the issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTTP Request Smuggling via invalid chunk extensions in Apache Tomcat. Detection typically involves analyzing HTTP traffic for malformed or suspicious chunked transfer encoding headers that include invalid chunk extensions.
One approach is to use network traffic inspection tools such as Wireshark or tcpdump to capture HTTP requests and look for anomalies in chunked transfer encoding.
Example commands to capture HTTP traffic on a server or network interface include:
- tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 8080'
- tshark -i <interface> -Y 'http.chunked' -T fields -e http.chunked
Additionally, specialized HTTP request smuggling detection tools or scanners can be used to send crafted requests with invalid chunk extensions to test if the server is vulnerable.
Since the vulnerability is specific to Apache Tomcat versions before the fixed releases, verifying the Tomcat version running on your system is also a key step.