VOOZH about

URL: https://ubuntu.com/security/CVE-2026-42498

โ‡ฑ CVE-2026-42498 | Ubuntu

Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Your preferences have been successfully updated. Close notification

Please try again or file a bug report. Close

Security

CVE-2026-42498

Publication date 12 May 2026

Last updated 18 June 2026

Ubuntu priority

Cvss 3 Severity Score

๐Ÿ‘ Image

7.3 ยท High

Score breakdown

Description

Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.

Status

Package Ubuntu Release Status
tomcat9 26.04 LTS resolute
Fixed 9.0.115-1ubuntu0.1
25.10 questing
Fixed 9.0.95-1ubuntu1.1
24.04 LTS noble
Fixed 9.0.70-2ubuntu0.1+esm3
22.04 LTS jammy
Fixed 9.0.58-1ubuntu0.2+esm4
20.04 LTS focal
Fixed 9.0.31-1ubuntu0.9+esm3
18.04 LTS bionic
Fixed 9.0.16-3ubuntu0.18.04.2+esm8
tomcat10 26.04 LTS resolute
Fixed 10.1.40-1ubuntu1.26.04.1
25.10 questing
Fixed 10.1.40-1ubuntu1.25.10.1
24.04 LTS noble
Fixed 10.1.16-1ubuntu0.1~esm4
22.04 LTS jammy Not in release
tomcat11 26.04 LTS resolute
Fixed 11.0.18-1ubuntu0.1~esm1
25.10 questing
Vulnerable
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
tomcat6 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
16.04 LTS xenial Ignored end of ESM support, was needs-triage
14.04 LTS trusty
Not affected
tomcat7 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Not affected
16.04 LTS xenial Ignored end of ESM support, was needs-triage
14.04 LTS trusty
Not affected
tomcat8 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro 30-day free trial

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
tomcat11

Severity score breakdown

CVSS version: CVSS v3.0

Base score ๐Ÿ‘ Image
7.3 ยท High

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

Related Ubuntu Security Notices (USN)

Other references

Access our resources on patching vulnerabilities