CVE-2026-55276
Publication date 30 June 2026
Last updated 30 June 2026
Ubuntu priority
Description
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tomcat6 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat7 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat8 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| tomcat9 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| tomcat10 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| tomcat11 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
ebarretto
xenial tomcat6 only builds libservlet2.5-java, not the Tomcat server binaries bionic tomcat7 only builds libservlet3.0-java, not the Tomcat server binaries
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-55276
- https://github.com/apache/tomcat/commit/f844614c6d92eeb11e81e179606bf4c390f642dd (11.0.23)
- https://github.com/apache/tomcat/commit/e391c6b201eae2ad9707a1335aff68ab8b3e0f84 (11.0.23)
- https://github.com/apache/tomcat/commit/25677f90fd721c26ef0f613d34ef8275b1aafc31 (10.1.56)
- https://github.com/apache/tomcat/commit/17daf80a738d66a8e6cad05c5e32c2db81500ce1 (10.1.56)
- https://github.com/apache/tomcat/commit/3ca8cae5fd3796b1bd9759e11b0e238161e7a39c (9.0.119)
- https://lists.apache.org/thread/jy09xjlzn6r2qwvqoph8vcmf959yq68v
- http://www.openwall.com/lists/oss-security/2026/06/29/23