CVE-2026-24880: Inconsistent Interpretation of HTTP Requests vulnerability in tomcat-catalina (Maven)

What is CVE-2026-24880 About?

This vulnerability in Apache Tomcat is an 'HTTP Request/Response Smuggling' issue, caused by an inconsistent interpretation of HTTP requests due to invalid chunk extensions. Successful exploitation can enable attackers to bypass security controls, poison web caches, or access sensitive information. Exploitation is complex, requiring specific conditions and a deep understanding of HTTP protocol nuances.

Affected Software

org.apache.tomcat:tomcat-catalina
- >=11.0.0-M1, <11.0.20
- >=10.1.0-M1, <10.1.52
- >=7.0.0, <9.0.116
org.apache.tomcat:tomcat
- >=11.0.0-M1, <11.0.20
- >=10.1.0-M1, <10.1.52
- >=7.0.0, <9.0.116
org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.0-M1, <11.0.20
- >=10.1.0-M1, <10.1.52
- >=7.0.0, <9.0.116

Technical Details

The vulnerability lies in Apache Tomcat's handling of HTTP requests, specifically related to invalid chunk extensions in HTTP/1.1 Transfer-Encoding. When a front-end proxy or load balancer interprets the request differently from the back-end Tomcat server, it leads to request/response smuggling. An attacker crafts a request that is parsed one way by the proxy (e.g., seeing a short message body) and another way by Tomcat (e.g., seeing a longer message body followed by a hidden, malicious request). This discrepancy allows an attacker to 'smuggle' hidden requests past security devices or into a subsequent request on the same connection. The invalid chunk extension causes the parsing inconsistency, allowing the attacker to desynchronize the proxy and server.

What is the Impact of CVE-2026-24880?

Successful exploitation may allow attackers to bypass security measures, gain unauthorized access to internal resources, poison web caches with malicious content, or exploit other users through response queue manipulation.

What is the Exploitability of CVE-2026-24880?

Exploitation is generally considered of high complexity. It requires a detailed understanding of HTTP protocol parsing behaviors of both the front-end proxy/load balancer and the back-end Tomcat server. No authentication is typically required, as these attacks often target the HTTP layer before application-level authentication. Privilege requirements are none. The attack is remote, involving specially crafted HTTP requests. Special conditions include the presence of a vulnerable proxy/load balancer in front of Tomcat, and a disparity in how they handle invalid chunk extensions in Transfer-Encoding. Risk factors are increased when HTTP pipelining is enabled and when security controls are deployed at the perimeter without full visibility into back-end server parsing logic.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2026-24880?

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >=7.0.0, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.0-M1, <10.1.52 → Upgrade to 10.1.52
org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.0-M1, <11.0.20 → Upgrade to 11.0.20
org.apache.tomcat:tomcat
- >=7.0.0, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat:tomcat
- >=10.1.0-M1, <10.1.52 → Upgrade to 10.1.52
org.apache.tomcat:tomcat
- >=11.0.0-M1, <11.0.20 → Upgrade to 11.0.20
org.apache.tomcat:tomcat-catalina
- >=7.0.0, <9.0.116 → Upgrade to 9.0.116
org.apache.tomcat:tomcat-catalina
- >=10.1.0-M1, <10.1.52 → Upgrade to 10.1.52
org.apache.tomcat:tomcat-catalina
- >=11.0.0-M1, <11.0.20 → Upgrade to 11.0.20

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-24880?

Similar Vulnerabilities: CVE-2021-33044 , CVE-2021-31683 , CVE-2020-1935 , CVE-2019-11043 , CVE-2018-8032

CVE-2026-24880 Inconsistent Interpretation of HTTP Requests vulnerability in tomcat-catalina (Maven)