{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24880", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-01-27T18:06:58.294Z", "datePublished": "2026-04-09T19:12:10.730Z", "dateUpdated": "2026-04-09T23:15:44.782Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.18", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.0", "versionType": "semver"}, {"lessThanOrEqual": "7.0.109", "status": "affected", "version": "7.0.0", "versionType": "semver"}, {"lessThan": "7.0.0", "status": "unknown", "version": "0", "versionType": "semver"}, {"lessThanOrEqual": "8.0.53", "status": "unknown", "version": "8.0.0-RC1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Xclow3n"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.<br>Other, unsupported versions may also be affected.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.</p>"}], "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:12:10.730Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Request smuggling via invalid chunk extension", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/20"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:44.782Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue."}], "id": "CVE-2026-24880", "lastModified": "2026-04-10T00:16:25.563", "metrics": {}, "published": "2026-04-09T20:16:24.060", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/20"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: HTTP Request/Response Smuggling via invalid chunk extension", "id": "2457040", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457040"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-444", "details": ["A flaw was found in Apache Tomcat. A remote attacker could exploit an inconsistent interpretation of HTTP requests, known as HTTP Request/Response Smuggling, by sending a specially crafted request with an invalid chunk extension. This vulnerability allows an attacker to manipulate the way HTTP requests are processed, potentially leading to the bypassing of security controls, cache poisoning, or other malicious activities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24880", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:12:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24880\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24880\nhttps://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"], "statement": "This vulnerability has a Low impact. A flaw in Apache Tomcat allows for HTTP Request/Response Smuggling through invalid chunk extensions. This could enable a remote attacker to bypass security controls or poison caches by manipulating HTTP request processing. This affects Red Hat Enterprise Linux and Red Hat JBoss Web Server.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M1,11.0.18]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.0-M1,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0.M1,9.0.115]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.5.0,8.5.100]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.109]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T21:51:47.898596+00:00", "value": {"mitigation_remediation": ["Upgrade to a fixed Tomcat release, such as 11.0.20, 10.1.52, or 9.0.116, or any newer version that contains the fix.", "Confirm that the upgraded Tomcat version is actively running and that web applications function correctly.", "If an immediate upgrade is not possible, apply a web application firewall or reverse proxy that detects and blocks requests containing invalid chunk extensions; this mitigates the smuggling risk.", "Continuously monitor HTTP traffic logs for anomalous patterns indicative of smuggling attempts and investigate any suspicious activity."], "summary": {"action": "Patch", "impact": "HTTP Request Smuggling"}, "threat_synthesis": {"affected_systems": "Apache Tomcat releases from version 7.0.0 through 7.0.109, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.115, 10.1.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18 are affected. Unsupported older releases may also be vulnerable.", "description_and_impact": "Inconsistent interpretation of HTTP requests in Apache Tomcat, arising from an invalid chunk extension in the request body, permits HTTP request smuggling. This flaw allows an attacker to craft requests that the server parses incorrectly, potentially causing the server to misinterpret request boundaries. The CVE description does not explicitly state what an attacker can achieve; however, it is inferred that such smuggling could lead to bypassing authentication checks, manipulation of forwarded headers, or injection of hidden traffic that might be leveraged for further attacks.", "risk_and_exploitability": "The vulnerability is exploitable over standard inbound HTTP traffic by sending crafted chunked requests that include an invalid chunk extension. EPSS data is not available and the issue is not listed in the CISA KEV catalog, but the nature of request smuggling indicates a significant risk. The lack of a defined CVSS score makes it difficult to quantify severity, but the potential impact on confidentiality, integrity, and availability suggests that patching should be prioritized."}}}}, "created": "2026-04-10T08:39:00.395478+00:00", "updated": "2026-04-10T09:29:45.371400+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}