{
  "threat_severity" : "Low",
  "public_date" : "2026-02-17T18:50:43Z",
  "bugzilla" : {
    "description" : "tomcat: security constraint bypass with HTTP/0.9",
    "id" : "2440437",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2440437"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "Improper Input Validation vulnerability in Apache Tomcat.\nTomcat did not limit HTTP/0.9 requests to the GET method. If a security \nconstraint was configured to allow HEAD requests to a URI but deny GET \nrequests, the user could bypass that constraint on GET requests by \nsending a (specification invalid) HEAD request using HTTP/0.9.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.\nOlder, EOL versions are also affected.\nUsers are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.", "A flaw was found in Tomcat. An improper input validation vulnerability allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to permit HEAD requests to a URI but deny GET requests, a malformed or specification invalid HEAD request using the HTTP/0.9 protocol can bypass the intended denial rule, enabling an attacker to access resources that should be protected." ],
  "statement" : "This flaw is only exploitable when Tomcat is configured to allow HEAD requests but deny GET requests to the same resource, a very unlikely configuration. Due to this reason, this flaw has been rated with a low severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Web Server 6.2.2",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12195",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 10",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el10",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el10jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 8",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el8",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.2 on RHEL 9",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:12194",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.2::el9",
    "package" : "jws6-tomcat-0:10.1.49-10.redhat_00008.1.el9jws"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-04T00:00:00Z",
    "advisory" : "RHSA-2026:6569",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "tomcat11-main-11.0.21-0.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-15T00:00:00Z",
    "advisory" : "RHSA-2026:8334",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "tomcat10-main-10.1.54-1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat9",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-24733\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24733\nhttps://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f" ],
  "name" : "CVE-2026-24733",
  "mitigation" : {
    "value" : "To mitigate this vulnerability, ensure that security constraints are consistent across similar methods (e.g., if GET is denied, HEAD should likely be denied) or block HTTP/0.9 traffic via a reverse proxy or firewall, if it is not required.",
    "lang" : "en:us"
  },
  "csaw" : false
}