CVE-2026-55957
Publication date 30 June 2026
Last updated 30 June 2026
Ubuntu priority
Description
Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.5, 10.1.37 or 9.0.101, which fixes the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tomcat6 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat7 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Not affected
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat8 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| tomcat9 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| tomcat10 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| tomcat11 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |
Notes
ebarretto
xenial tomcat6 only builds libservlet2.5-java, not the Tomcat server binaries bionic tomcat7 only builds libservlet3.0-java, not the Tomcat server binaries
References
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-55957
- https://github.com/apache/tomcat/commit/fd96ab415631eea44636c94f911dd38427070ef9 (11.0.5)
- https://github.com/apache/tomcat/commit/0cd21c0393b8811af22daddbba7b4e7328e2d79e (10.1.37)
- https://github.com/apache/tomcat/commit/c32bbd37ea9ee0aaab848af4ee1c9a76e84240ea (9.0.101)
- https://lists.apache.org/thread/7fk339o5jvd4mcgsf0chbrn4o525ccjh
- http://www.openwall.com/lists/oss-security/2026/06/29/26