CVE-2026-24733
Public on 2026-02-17
Modified on 2026-02-19
Description
A flaw was found in Tomcat. An improper input validation vulnerability allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to permit HEAD requests to a URI but deny GET requests, a malformed or specification invalid HEAD request using the HTTP/0.9 protocol can bypass the intended denial rule, enabling an attacker to access resources that should be protected.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | tomcat | 2026-03-19 | ALAS2-2026-3204 | Fixed |
| Amazon Linux 2 - Tomcat9 Extra | tomcat | 2026-03-19 | ALAS2TOMCAT9-2026-024 | Fixed |
| Amazon Linux 2023 | tomcat10 | 2026-03-27 | ALAS2023-2026-1497 | Fixed |
| Amazon Linux 2023 | tomcat9 | 2026-03-27 | ALAS2023-2026-1496 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| NVD | CVSSv3 | 3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N |