CVE-2026-55955

CVE-2026-55955: Apache Tomcat: EncryptInterceptor not protected against replay attacks

Vendor Apache Software Foundation
Product Apache Tomcat
Weakness CWE-287 · Improper authentication
Published June 29, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 30, 2026 Record updated