CVE-2026-24880
Published: 09 April 2026
Summary
CVE-2026-24880 is a high-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the HTTP request/response smuggling vulnerability by requiring timely application of vendor patches to fix Tomcat's invalid chunk extension handling.
Boundary protection with web application firewalls or proxies normalizes HTTP requests to block smuggling exploits targeting Tomcat's parsing flaw.
Validates HTTP inputs at system interfaces to reject malformed chunk extensions that enable the smuggling attack in vulnerable Tomcat versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a remotely exploitable HTTP request smuggling flaw in the public-facing Apache Tomcat web server (CWE-444), directly matching the definition of T1190 Exploit Public-Facing Application; no other Enterprise techniques are directly enabled by the vulnerability description.
NVD Description
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through…
more
7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
Deeper analysisAI
CVE-2026-24880 is an Inconsistent Interpretation of HTTP Requests vulnerability, classified as HTTP Request/Response Smuggling (CWE-444), in Apache Tomcat due to handling of invalid chunk extensions. It affects Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M1 through 9.0.115, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109. Other unsupported versions may also be affected.
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Successful exploitation enables HTTP request/response smuggling, resulting in high integrity impact.
Apache advisories recommend upgrading to Tomcat 11.0.20, 10.1.52, or 9.0.116 to mitigate the issue. Additional details are provided in the Apache mailing list at https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/04/09/20.
Details
- CWE(s)