Cyber Resilience

CVE-2026-55276

Critical

Published: 29 June 2026

Published
29 June 2026
Modified
02 July 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0037 28.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-55276 is a critical-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Apache Tomcat. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1…

more

through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-34946Shared CWE-670
CVE-2023-1668Shared CWE-670
CVE-2023-39152Shared CWE-670
CVE-2023-41338Shared CWE-670
CVE-2022-21679Shared CWE-670
CVE-2026-40394Shared CWE-670
CVE-2021-43819Shared CWE-670
CVE-2024-37153Shared CWE-670
CVE-2026-48844Shared CWE-670
CVE-2021-32684Shared CWE-670

Affected Assets

apache
tomcat
≤ 9.0.119 · 10.1.0 — 10.1.56 · 11.0.0 — 11.0.23

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References