CVE-2026-59083
Apache Software Foundation · Apache Tomcat
A URL encoding vulnerability in Apache Tomcat's RewriteValve allows unauthenticated attackers to bypass security constraints by manipulating hex-encoded characters in requests.
Executive summary
A critical security constraint bypass vulnerability in Apache Tomcat allows unauthenticated remote attackers to access restricted resources via crafted URL requests.
Vulnerability
This is an improper handling of URL encoding vulnerability (CWE-177) within the RewriteValve component. The valve incorrectly decodes the plus character in rewritten URIs, enabling attackers to bypass path-based security constraints.
Business impact
This vulnerability is rated at a critical CVSS score of 9.1. It allows unauthenticated attackers to bypass security controls that protect administrative interfaces or sensitive application endpoints. This can result in unauthorized access to restricted application features or data, potentially leading to a full compromise of the application environment.
Remediation
Immediate Action: Update Apache Tomcat to version 11.0.24, 10.1.57, or 9.0.120 immediately to resolve the URL decoding flaw.
Proactive Monitoring: Monitor web access logs for suspicious URL patterns, specifically those containing unusual hex-encoded sequences or unexpected plus characters that deviate from standard request formats.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to inspect and normalize incoming request URIs, which may help block exploitation attempts targeting the RewriteValve until patching is complete.
Exploitation status
Public Exploit Available: No (false)
Analyst recommendation
The critical severity and confirmed reports of exploitation attempts make this a high-priority remediation. Organizations must verify their current Tomcat version and apply the recommended patches immediately to prevent unauthorized access and potential data compromise.