Critical

Apache Tomcat HTTP/2 Request Headers Not Validated

IdentifiersCVE-2026-41293CWE-20· Improper Input Validation

CVE-2026-41293 is a low-severity improper input validation vulnerability in Apache Tomcat. Tomcat did not validate HTTP/2 request headers before exposing header values to applications through the Servlet API. As a result, an application that reasonably assumes Servlet API header values are specification-compliant could receive malformed or otherwise invalid header data, potentially triggering unexpected application behavior. Reported affected versions include Tomcat 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, and 10.0.0-M1 through 10.0.27; some sources also indicate 8.5.0 through 8.5.100 may be affected, and older unsupported versions may also be impacted.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may cause unexpected application behavior in software deployed behind Tomcat when that software relies on HTTP/2 header values obtained via the Servlet API being standards-compliant. The provided sources do not establish direct remote code execution or privilege escalation from this flaw alone. The practical impact is application-dependent and may include logic errors, improper request handling, denial of service conditions, authentication or authorization edge cases, or inadvertent exposure of sensitive information where downstream code mishandles invalid header values.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied content other than upgrading. Where immediate patching is not possible, reduce exposure by limiting or disabling HTTP/2 handling if operationally feasible, placing strict request normalization and validation controls in front of Tomcat, and reviewing application code that trusts Servlet API header values to ensure it performs its own validation before using header data in security-sensitive logic. This mitigation guidance is inferential; the authoritative remediation in the sources is to upgrade.

Remediation

Patch, then assume compromise.

Upgrade Apache Tomcat to a fixed release. The provided sources identify fixed versions as 11.0.22 or later, 10.1.55 or later, and 9.0.118 or later. For the 10.0.x branch, users should upgrade to a supported fixed branch because 10.0.x is end-of-support. Older unsupported branches should be migrated to a supported release line. Debian package fixes referenced in the content include tomcat11 11.0.22-1~deb13u1 and tomcat10 10.1.55-1~deb12u1 or 10.1.55-1~deb13u1, depending on distribution release.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationTomcatapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security weekNews

Jun 18, 2026

Atlassian, Splunk Patch Critical Vulnerabilities - SecurityWeek

A critical-severity vulnerability in Apache Tomcat affecting third-party dependencies used in Atlassian products.

lists apacheNews

May 12, 2026

[SECURITY] CVE-2026-41293 Apache Tomcat - HTTP/2 request headers not validated-Apache Mail Archives

A low-severity Apache Tomcat vulnerability where HTTP/2 request headers were not properly validated, potentially causing unexpected application behavior when applications assumed Servlet API header values were specification compliant.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-41293

NVD

nvd.nist.gov/vuln/detail/CVE-2026-41293

MITRE CWE · CWE-20

Improper Input Validation

Vendor Advisory

lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r

Third Party Advisory

openwall.com/lists/oss-security/2026/05/12/13