CVE-2026-25854
Received Received - Intake
Open Redirect Vulnerability in Apache Tomcat LoadBalancerDrainingValve

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description
Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25854
EUVD
EUVD-2026-21008
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat From 10.1.0 (inc) to 10.1.53 (exc)
apache tomcat From 11.0.0 (inc) to 11.0.20 (exc)
apache tomcat From 9.0.1 (inc) to 9.0.116 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an occasional URL redirection to an untrusted site, also known as an 'Open Redirect', found in Apache Tomcat through the LoadBalancerDrainingValve component.

It affects multiple versions of Apache Tomcat, specifically from 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100.

The issue allows URLs to redirect users to potentially untrusted external sites.

Impact Analysis

This vulnerability can lead to users being redirected to untrusted or malicious websites without their consent.

Such open redirects can be exploited for phishing attacks, where attackers trick users into visiting harmful sites that may steal credentials or distribute malware.

It can also damage the trustworthiness of your web application or service by exposing users to unsafe destinations.

Mitigation Strategies

Users are recommended to upgrade Apache Tomcat to version 11.0.20, 10.1.53, or 9.0.116, which fix the Open Redirect vulnerability in the LoadBalancerDrainingValve.

Compliance Impact

The provided information does not specify how the open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25854. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart