CVE-2026-32990
Improper Input Validation vulnerability in tomcat-catalina (Maven)
What is CVE-2026-32990 About?
This Improper Input Validation vulnerability in Apache Tomcat is due to an incomplete fix of a previous vulnerability, allowing for potential security bypasses or unintended behavior. Its impact can range from data manipulation to denial of service, depending on the context of the invalid input. Exploitation is likely moderately difficult, requiring specific knowledge of the prior fix and how to bypass it.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >=10.1.50, <10.1.53
- >=9.0.113, <9.0.116
- >=11.0.15, <11.0.20
- org.apache.tomcat:tomcat
- >=10.1.50, <10.1.53
- >=9.0.113, <9.0.116
- >=11.0.15, <11.0.20
- org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.50, <10.1.53
- >=9.0.113, <9.0.116
- >=11.0.15, <11.0.20
Technical Details
The vulnerability stems from an incomplete fix for CVE-2025-66614 in Apache Tomcat. Attackers can leverage this by crafting malformed input that was intended to be sanitized or validated by the previous fix, but which the incomplete patch fails to adequately address. This allows the attacker to bypass security controls implemented to mitigate the original vulnerability, potentially leading to undesired system states, information disclosure, or other consequences that the input validation was meant to prevent. The specific mechanisms for bypassing the fix would involve identifying edge cases or specific input patterns that are not fully covered by the updated validation logic.
What is the Impact of CVE-2026-32990?
Successful exploitation may allow attackers to bypass security mechanisms, leading to unauthorized access, data corruption, or denial of service.
What is the Exploitability of CVE-2026-32990?
Exploitation would require a moderate level of technical expertise to analyze the incomplete fix for CVE-2025-66614 and devise a bypass. It likely involves crafting specific, malformed input that exploits the gaps in the validation logic. Authentication may or may not be required, depending on where the vulnerable input validation occurs within the application flow. No specific privileges are mentioned, suggesting default user access might be sufficient if the input point is accessible. This vulnerability is likely remotely exploitable, as input validation issues typically occur on network-facing interfaces. The primary constraint is understanding the intricacies of the previous patch and identifying its weaknesses.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-32990?
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina
- >=9.0.113, <9.0.116 → Upgrade to 9.0.116
- org.apache.tomcat:tomcat-catalina
- >=10.1.50, <10.1.53 → Upgrade to 10.1.53
- org.apache.tomcat:tomcat-catalina
- >=11.0.15, <11.0.20 → Upgrade to 11.0.20
- org.apache.tomcat:tomcat
- >=9.0.113, <9.0.116 → Upgrade to 9.0.116
- org.apache.tomcat:tomcat
- >=10.1.50, <10.1.53 → Upgrade to 10.1.53
- org.apache.tomcat:tomcat
- >=11.0.15, <11.0.20 → Upgrade to 11.0.20
- org.apache.tomcat.embed:tomcat-embed-core
- >=9.0.113, <9.0.116 → Upgrade to 9.0.116
- org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.50, <10.1.53 → Upgrade to 10.1.53
- org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.15, <11.0.20 → Upgrade to 11.0.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2026-32990?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2021-44228 , CVE-2020-1938 , CVE-2018-11776 , CVE-2016-8745
