CVE-2026-59083
Received Received - Intake

Improper URL Encoding Bypass in Apache Tomcat

Vulnerability report for CVE-2026-59083, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Apache Software Foundation

Description

Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0 through 8.5.100.Β Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.24, 10.1.57 or 9.0.120, which fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
apache tomcat From 11.0.0-M1 (inc) to 11.0.23 (inc)
apache tomcat From 10.1.0-M1 (inc) to 10.1.56 (inc)
apache tomcat From 9.0.0.M1 (inc) to 9.0.119 (inc)
apache tomcat From 8.5.0 (inc) to 8.5.100 (inc)
apache tomcat 11.0.24
apache tomcat 10.1.57
apache tomcat 9.0.120

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-177 The product does not properly handle when all or part of an input has been URL encoded.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59083 is an Improper Handling of URL Encoding (Hex Encoding) vulnerability in Apache Tomcat's rewrite valve. This flaw allows an attacker to bypass security constraints in certain configurations by exploiting how Tomcat processes hex-encoded URLs.

The vulnerability affects multiple versions of Apache Tomcat, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.0.M1 through 9.0.119, and 8.5.0 through 8.5.100. End-of-life versions may also be impacted.

The issue arises when the rewrite valve does not properly interpret hex-encoded characters in URLs, potentially allowing unauthorized access to restricted resources or bypassing security measures like authentication or authorization checks.

Impact Analysis

If your system is running an affected version of Apache Tomcat, this vulnerability could have several impacts:

  • Security Constraint Bypass: Attackers may bypass security constraints (e.g., authentication or authorization rules) configured in your Tomcat deployment, gaining unauthorized access to sensitive resources or functionalities.
  • Data Exposure: Unauthorized access could lead to the exposure of sensitive data, such as user credentials, personal information, or proprietary business data.
  • Privilege Escalation: If the bypass allows access to administrative or high-privilege functions, attackers could escalate their privileges within the system.
  • Service Disruption: In some cases, exploitation could lead to partial or full disruption of services relying on the affected Tomcat instance.

The severity of the impact depends on the specific configuration of your Tomcat server and the sensitivity of the data or services it handles.

Compliance Impact

This vulnerability can have significant implications for compliance with various standards and regulations, depending on the nature of the data and services your organization handles:

  • GDPR (General Data Protection Regulation): If the vulnerability leads to unauthorized access to personal data of EU citizens, it could result in a breach of GDPR. Non-compliance may lead to hefty fines (up to 4% of global revenue or €20 million, whichever is higher) and reputational damage.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI) in the U.S., exploitation of this vulnerability could lead to unauthorized access to PHI, violating HIPAA's Security Rule. This may result in penalties ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year.
  • PCI DSS (Payment Card Industry Data Security Standard): If your Tomcat instance processes, stores, or transmits payment card data, this vulnerability could lead to non-compliance with PCI DSS requirements, particularly those related to access control and secure configuration. Non-compliance may result in fines, increased transaction fees, or loss of ability to process payments.
  • Other Regulations: Depending on your industry and region, other regulations like SOX (Sarbanes-Oxley Act), FISMA (Federal Information Security Management Act), or industry-specific standards may also be impacted if the vulnerability leads to unauthorized access or data breaches.

To maintain compliance, it is critical to apply the recommended patches (upgrading to versions 11.0.24, 10.1.57, or 9.0.120) and conduct a thorough review of your security controls to ensure no unauthorized access occurred.

Mitigation Strategies

To mitigate the vulnerability described in CVE-2026-59083, you should immediately upgrade Apache Tomcat to one of the fixed versions based on your current deployment:

  • For Apache Tomcat 11.x: Upgrade to version 11.0.24 or later.
  • For Apache Tomcat 10.1.x: Upgrade to version 10.1.57 or later.
  • For Apache Tomcat 9.0.x: Upgrade to version 9.0.120 or later.

If upgrading is not immediately feasible, consider disabling the rewrite valve or applying other temporary workarounds, though upgrading is the recommended and most reliable solution.

Detection Guidance

The provided context does not include specific detection methods or commands for identifying the Improper Handling of URL Encoding (Hex Encoding) vulnerability (CVE-2026-59083) in Apache Tomcat. However, general approaches to detect vulnerable versions of Apache Tomcat include:

  • Check the installed version of Apache Tomcat on your system. Vulnerable versions are from 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.0.M1 through 9.0.119, and 8.5.0 through 8.5.100. You can typically find the version in the Tomcat manager interface, logs, or by running the following command if Tomcat is installed:
  • For Linux systems, check the version file: `cat /path/to/tomcat/lib/catalina.jar | grep "Implementation-Version"` or `version.sh` in the Tomcat `bin` directory.
  • For Windows systems, check the `RELEASE-NOTES` file in the Tomcat installation directory or run the `version.bat` script in the `bin` directory.
  • Review Tomcat configuration files (e.g., `conf/web.xml`, `conf/server.xml`) for the presence of the `rewrite valve` and security constraints that might be bypassed due to this vulnerability. Look for `<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />` in `server.xml`.
  • Use vulnerability scanning tools (e.g., Nessus, OpenVAS, or Nmap with NSE scripts) to detect outdated or vulnerable versions of Apache Tomcat running on your network.

For specific detection techniques or proof-of-concept (PoC) commands, refer to security advisories or resources from the Apache Tomcat project or security researchers. The provided resources do not contain actionable detection details.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart