Critical Apache Tomcat CVE-2026-24733 Enables Security Constraint Bypass via HTTP/0.9
2 min. read 
Published on
Apache Tomcat patched CVE-2026-24733, a security constraint bypass vulnerability. Attackers use HTTP/0.9 requests to evade access controls. The flaw rated Low severity affects specific configurations. Tomcat accepts HTTP/0.9 HEAD requests when GET should block.
HTTP/0.9 predates modern methods. It lacks headers and supports only GET normally. Tomcat processes HEAD over HTTP/0.9 without restriction. This bypasses rules allowing HEAD but denying GET on protected URIs. Attackers retrieve blocked content.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The Apache team found and fixed the issue. Advisory published February 17, 2026. No exploitation reported yet. Legacy clients or misconfigured proxies enable attack paths. Most modern setups normalize protocols safely.
Affected Versions Table
| Tomcat Branch | Vulnerable Range | Fixed Version |
|---|---|---|
| 11.0 | 11.0.0-M1 to 11.0.14 | 11.0.15+ |
| 10.1 | 10.1.0-M1 to 10.1.49 | 10.1.50+ |
| 9.0 | 9.0.0.M1 to 9.0.112 | 9.0.113+ |
| EOL Branches | All versions | Migrate |
Upgrade stops bypass immediately.
Attack Requirements
Exploitation needs specific conditions:
- Security constraint allows HEAD, denies GET for URI.
- Attacker reaches Tomcat directly or via permissive proxy.
- HTTP/0.9 traffic accepted end-to-end.
- No protocol normalization by intermediaries.
Rare but works in legacy setups.
Technical Root Cause
Tomcat code handles HTTP/0.9 specially:
if (protocol == HTTP_0_9) {
// Minimal parsing, no method validation
method = "GET"; // Default assumption
}
HEAD request over 0.9 bypasses GET checks. Constraint evaluation skips body retrieval logic.
Risk Scenarios
Legacy systems face highest exposure:
- Embedded devices with old Tomcat.
- Proxies allowing HTTP/0.9 passthrough.
- Custom clients using obsolete protocol.
- Misconfigured cloud load balancers.
Modern HTTP/2 stacks block 0.9 naturally.
Mitigation Beyond Patching
Immediate hardening steps:
- Block HTTP/0.9 at edge firewalls/proxies.
- Review HEAD vs GET constraints for gaps.
- Force HTTP/1.1 minimum in server.xml.
- Log and alert HTTP/0.9 requests.
Validate reverse proxy protocol enforcement.
Constraint Configuration Check
Audit web.xml for risky patterns:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<http-method>HEAD</http-method>
<!-- Missing GET deny creates gap -->
</web-resource-collection>
</security-constraint>
Explicitly deny HEAD if unintended.
Patch Deployment Priority
| Environment | Priority | Notes |
|---|---|---|
| Production | Critical | Upgrade within 7 days |
| Staging | High | Test patches immediately |
| Development | Medium | Update before prod deploy |
| EOL Versions | Critical | Migrate now |
Container images need rebuilds.
FAQ
HTTP/0.9 HEAD requests bypass GET-denied constraints.
11.0.15+, 10.1.50+, 9.0.113+.
Yes. Modern protocols reject HTTP/0.9 traffic.
No confirmed attacks as of February 22, 2026.
HEAD allowed, GET denied on same URI path.
Tomcat assumes GET method, skips full validation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages