製品・ソフトウェアに関する情報
Apache Tomcatにおける複数の脆弱性(2026年6月29日)
Title Apache Tomcatにおける複数の脆弱性(2026年6月29日)
Summary

The Apache Software Foundationから、Apache Tomcatの脆弱性(CVE-2026-55957, CVE-2026-55956, CVE-2026-55955, CVE-2026-55276, CVE-2026-53434, CVE-2026-53404, CVE-2026-50229)に対してアドバイザリが公開されました。 <ul><li><a href='https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.23' target='_blank'>Fixed in Apache Tomcat 11.0.23</a></li><li><a href='https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.5' target='_blank'>Fixed in Apache Tomcat 11.0.5</a></li><li><a href='https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.56' target='_blank'>Fixed in Apache Tomcat 10.1.56</a></li><li><a href='https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.39' target='_blank'>Fixed in Apache Tomcat 10.1.39</a></li><li><a href='https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.119' target='_blank'>Fixed in Apache Tomcat 9.0.119</a></li><li><a href='https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.102' target='_blank'>Fixed in Apache Tomcat 9.0.102</a></li></ul>

Possible impacts Apache Tomcatのアドバイザリを参照してください。
Solution

Apache Tomcatのアドバイザリを参照してください。

Publication Date July 1, 2026, midnight
Registration Date July 2, 2026, 11:25 a.m.
Last Update July 2, 2026, 11:25 a.m.
Affected System
Apache Software Foundation
Apache Tomcat 
CVE (情報セキュリティ 共通脆弱性識別子)
ベンダー情報
その他
Change Log
No Changed Details Date of change
1 [2026年07月02日]
  掲載
July 2, 2026, 11:25 a.m.

NVD Vulnerability Information
CVE-2026-50229
Summary

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:10 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-53404
Summary

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:10 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-53434
Summary

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:10 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-55276
Summary

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update July 1, 2026, 12:16 a.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-55955
Summary

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, which fixes the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:16 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-55956
Summary

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:16 p.m.
Related information, measures and tools
Common Vulnerabilities List
CVE-2026-55957
Summary

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.

Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.

Publication Date June 30, 2026, 6:16 a.m.
Registration Date July 1, 2026, 4:23 a.m.
Last Update June 30, 2026, 11:16 p.m.
Related information, measures and tools
Common Vulnerabilities List