Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <ea2f3133-20cc-41e2-b8af-be42727d4a97@apache.org>
Date: Thu, 9 Apr 2026 20:47:28 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-25854: Apache Tomcat: Occasionally open redirect

Severity: low

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.18
- Apache Tomcat 10.1.0-M1 through 10.1.52
- Apache Tomcat 9.0.0.M23 through 9.0.115
- Apache Tomcat 8.5.30 through 8.5.100
- Apache Tomcat through 7.0.109 unaffected

Description:

Occasional URL redirection to untrusted Site ('Open Redirect') 
vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 
10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 
through 8.5.100.
Other, unsupported versions may also be affected

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, 
which fix the issue.

Credit:

gregk4sec (https://github.com/gregk4sec) (finder)

References:

https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25854

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.