CVE-2026-59083

Apache Software Foundation · Apache Tomcat

A URL encoding vulnerability in Apache Tomcat's RewriteValve allows unauthenticated attackers to bypass security constraints by manipulating hex-encoded characters in requests.

Executive summary

A critical security constraint bypass vulnerability in Apache Tomcat allows unauthenticated remote attackers to access restricted resources via crafted URL requests.

Vulnerability

This is an improper handling of URL encoding vulnerability (CWE-177) within the RewriteValve component. The valve incorrectly decodes the plus character in rewritten URIs, enabling attackers to bypass path-based security constraints.

Business impact

This vulnerability is rated at a critical CVSS score of 9.1. It allows unauthenticated attackers to bypass security controls that protect administrative interfaces or sensitive application endpoints. This can result in unauthorized access to restricted application features or data, potentially leading to a full compromise of the application environment.

Remediation

Immediate Action: Update Apache Tomcat to version 11.0.24, 10.1.57, or 9.0.120 immediately to resolve the URL decoding flaw.

Proactive Monitoring: Monitor web access logs for suspicious URL patterns, specifically those containing unusual hex-encoded sequences or unexpected plus characters that deviate from standard request formats.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to inspect and normalize incoming request URIs, which may help block exploitation attempts targeting the RewriteValve until patching is complete.

Exploitation status

Public Exploit Available: No (false)

Analyst recommendation

The critical severity and confirmed reports of exploitation attempts make this a high-priority remediation. Organizations must verify their current Tomcat version and apply the recommended patches immediately to prevent unauthorized access and potential data compromise.