CVE-2026-43512

Critical

Published: 12 May 2026

Published

12 May 2026

Modified

15 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 29.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-43512 is a critical-severity DEPRECATED: Authentication Bypass Issues (CWE-592) vulnerability in Apache Tomcat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also…

be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-592

Affected Products

apache

tomcat

7.0.0 — 7.0.109 · 8.5.0 — 8.5.100 · 9.0.0 — 9.0.118

References

https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/05/12/8
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108