Authentication Bypass in Apache Tomcat Digest Authentication

This repository is a standalone proof-of-concept and lab environment for CVE-2026-43512, an Apache Tomcat DIGEST authentication issue. The main exploit logic is in exploit/exploit.go, a Go program that performs a two-step HTTP interaction: it first sends an unauthenticated GET to a protected resource to collect one or more WWW-Authenticate: Digest challenges, then parses the challenge, prefers MD5 when multiple algorithms are offered, and constructs a crafted Authorization: Digest header using the literal password "null" for a non-existent username. The exploit computes the RFC 2617 digest response locally and resubmits the request in an attempt to bypass authentication and retrieve the protected content. Repository structure: the Go PoC is accompanied by a Dockerfile and Tomcat configuration files that build a reproducible vulnerable lab. Dockerfile provisions Tomcat 11.0.0-M1, removes default apps, creates a ROOT webapp, and places a protected file at /protected/secret.html. web.xml enables DIGEST authentication for /protected/*, server.xml configures the UserDatabaseRealm and HTTP connector on port 8080, tomcat-users.xml defines a single legitimate user and intentionally omits the attacker username, and logging.properties increases Tomcat logging verbosity for exploitability analysis. index.html appears to be a demonstration page but is not referenced by the Dockerfile-created protected secret path. Capabilities: the code can fingerprint a Tomcat DIGEST-protected endpoint, parse Digest challenge parameters (realm, nonce, opaque, qop, algorithm), generate MD5 or SHA-256 digest responses, and attempt unauthorized access to a protected resource. It does not deliver post-auth payloads, execute commands, or establish persistence. Its purpose is validation of the authentication bypass hypothesis rather than weaponization. Important outcome: despite the repository being framed as an exploit PoC, the included README and code behavior indicate end-to-end exploitation is not reproducible in the provided standard UserDatabaseRealm deployment. The PoC demonstrates that the client and server digest values can match for an unknown user when using password "null", but authentication still fails because Tomcat subsequently calls getPrincipal(username), which returns null for non-existent users, resulting in HTTP 401. Therefore this is best classified as a proof-of-concept exploitability analysis rather than a reliable working bypass.