Apache Tomcat has disclosed CVE-2026-24733, a Low-severity security constraint bypass that can be triggered via HTTP/0.9 requests when certain access-control rules are configured in a specific way.
The Apache Tomcat security team identified the issue, and the original advisory was published on 2026-02-17.
At a high level, the vulnerability stems from Tomcat not restricting HTTP/0.9 requests to the GET method. HTTP/0.9 is an obsolete, minimal protocol variant that predates modern method and header handling expectations, and it is rarely used intentionally today.
However, if an attacker can reach a Tomcat instance and send crafted HTTP/0.9-style traffic, Tomcat’s method handling can create an unexpected gap in enforcement for security constraints.
The bypass occurs when a Tomcat security constraint is configured to allow HEAD requests to a given URI while denying GET requests to that same URI. Under normal HTTP versions, that rule set would prevent the retrieval of the resource body via GET.
With CVE-2026-24733, an attacker can send a specification-invalid HEAD request using HTTP/0.9 and, in doing so, bypass the configured constraint for GET requests.
This issue is situational by design: it requires a particular constraint configuration (HEAD allowed, GET denied) and an attack path where HTTP/0.9 parsing is accepted end-to-end.
Even so, it is relevant for legacy integrations, unusual clients, and some proxy/topology combinations where protocol normalization may not occur as expected.
Affected Versions and Mitigation
The affected ranges span currently maintained Tomcat branches as well as older end-of-life releases. Organizations running EOL versions should treat this as a reminder to migrate to a supported branch, since security fixes may not be practical to backport safely.
| Tomcat branch | Versions affected | Fixed version |
|---|---|---|
| 11 | 11.0.0-M1 to 11.0.14 | 11.0.15+ |
| 10.1 | 10.1.0-M1 to 10.1.49 | 10.1.50+ |
| 9.0 | 9.0.0.M1 to 9.0.112 | 9.0.113+ |
| Older (EOL) | Also affected | Upgrade to supported branch |
Apache recommends upgrading to the fixed releases listed above. As a practical hardening step, teams should also review access-control intent around HEAD versus GET on protected endpoints and validate that any fronting reverse proxies or load balancers don’t allow unexpected protocol downgrade behavior.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
