Top/Articles/Tomcat shows a '9.1 Critical' flaw, but Apache rates it 'Low' (CVE-2026-59083/59084): why a routine update is enough
apache-tomcat-cve-cover-en

Tomcat shows a '9.1 Critical' flaw, but Apache rates it 'Low' (CVE-2026-59083/59084): why a routine update is enough

Apache Tomcat flaws CVE-2026-59083 and 59084 show up as a '9.1 (Critical)' in scanners, but Apache itself rates both 'Low' β€” no real exploitation, not in KEV. We explain calmly why the numbers disagree, whether your setup is affected, and why a routine update is enough.

NewsPublished July 16, 2026 Updated today
Table of contents
Key takeaways

Apache Tomcat flaws CVE-2026-59083 and 59084 show up as a '9.1 (Critical)' in scanners, but Apache itself rates both 'Low' β€” no real exploitation, not in KEV. We explain calmly why the numbers disagree, whether your setup is affected, and why a routine update is enough.

If your security scanner or a news item flagged "a severity-9.1 (Critical) vulnerability in Apache Tomcat," you may have braced for trouble. The short version: there is no need to scramble into emergency response. The two vulnerabilities just disclosed (CVE-2026-59083 and CVE-2026-59084) are rated "Low" by Apache itself, the project that develops Tomcat. There are no reports of them being used in real attacks.

Apache Tomcat is software for running Java-based web systems, and it is widely used behind the scenes of enterprise systems, including across Japan. Precisely because of that, a "Critical" label tends to put whole teams on alert at once. Yet that "9.1" figure and the developer's "Low" rating are sharply at odds. This article walks through, in order, why the numbers disagree, whether your environment is actually affected, and what to do calmly.

What was disclosed

On July 14, 2026, two vulnerabilities in Apache Tomcat were disclosed, and Japan's vulnerability portal JVN (JVNVU95286373) also carried them as "multiple vulnerabilities in Apache Tomcat." One is a case where a mismatch in how a URL is interpreted could lead to an access-control bypass; the other is not a flaw in the program at all, but a case where the documentation for configuring a feature safely was insufficient.

Neither is the kind of hole that lets anyone easily take over a server from outside. Exploitation requires specific configuration conditions, and as of now there is no confirmed real-world exploitation and no public proof-of-concept (PoC). They are also not listed on the U.S. CISA catalog of vulnerabilities known to be exploited (KEV).

Overview of the vulnerabilities

ItemCVE-2026-59083CVE-2026-59084
IssueURL-interpretation gap can
bypass access control
Insufficient docs for
encryption config
Apache's ratingLowLow
Scanner display9.1 (auto-enriched)9.1 (auto-enriched)
Exploit conditionsRewriteValve +
a specific config
Only on misconfigured
cluster encryption
Real exploitationNoneNone

CVE-2026-59083: a URL-interpretation gap that can bypass access control

Tomcat has a feature called "RewriteValve" that rewrites requested URLs internally. The issue was that Tomcat could mistakenly interpret a "+" (plus) sign in the rewritten URL as a space, in certain cases. Exploiting this interpretation gap could, under the right conditions, reach a path that should be protected by access control (a security constraint). This is not an RCE (remote code execution) that takes over the server, and it only works in environments that "use RewriteValve and have a specific configuration." The classification is improper handling of URL encoding (CWE-177), and it was found by the Tomcat security team itself. Apache rates its severity "Low."

CVE-2026-59084: insufficient documentation for the encryption setting

The second concerns "EncryptInterceptor," a mechanism that encrypts communication between servers in a "cluster" setup that runs multiple Tomcat instances together. The key point is that this is not a flaw in the program, but a "documentation gap": the requirements for configuring it safely were not sufficiently written down. The classification is insufficient technical documentation (CWE-1059). Any real impact would be limited to the narrow case of an organization that had been using this encryption with a mistaken configuration, where the expected protection may not have been in effect. Apache also rates this "Low."

Why "9.1" and "Low" disagree

This is the most important part. The same vulnerability is labeled "9.1 (Critical)" in one place and "Low" in another. The gap comes from who assigns the score, and how.

Severity is expressed as a number from 0.0 to 10.0 by an international yardstick called CVSS (Common Vulnerability Scoring System). The "9.1" going around is an auto-enriched score added to the vulnerability database (NVD) by a U.S. government-affiliated body. Such scores can be assigned mechanically, assuming a "worst case," before each precondition is verified one by one β€” so they tend to come out higher than the real ease of exploitation. The "Low" rating, by contrast, comes from Apache β€” the project that knows this flaw best β€” weighing the actual conditions and impact.

That gap is extreme for the documentation issue, CVE-2026-59084. Even though nothing in the program was fixed β€” only the docs were clarified β€” the auto-enrichment assigns a high 9.1. That plainly does not match reality. Many commercial scanners import and display this auto-enriched value as-is, so an internal scan can raise a "Critical detected" alarm even when the substance is not urgent. Rather than panic at the number alone, the right approach is to look at the assigning project's (developer's) rating together with whether it is actually being exploited.

Is your environment affected?

Let's check calmly. These two only really matter in environments like the following. If none apply, there is almost no practical impact.

UsageRelevanceWhat to do
You use
RewriteValve
In scope for 59083Update and review
the config first
Cluster encryption
(EncryptInterceptor)
In scope for 59084Recheck the config
requirements in the docs
You use
neither
No real impactRoutine update
is enough

Fixes are provided per supported line. Affected and fixed versions are below. Note that the Tomcat 8.5 line (and 7.0) has already reached end of life, so if you run those, the real move β€” regardless of this issue β€” is to migrate to the still-supported 9.0 line or later.

LineAffectedFixed in
11.0 line11.0.0-M1–11.0.2311.0.24
10.1 line10.1.0-M1–10.1.5610.1.57
9.0 line9.0.0.M1–9.0.1199.0.120
8.5 / 7.0 linesEnd of lifeMove to 9.0+

So what should you do?

The response is simple. At your next scheduled maintenance, update to the fixed release for your supported line (9.0.120 / 10.1.57 / 11.0.24). That is enough. There is no call to stop the service now and apply an emergency patch. That said, environments that fell under "in scope" in the earlier table (using RewriteValve, or encrypted cluster communication) should review their configuration alongside the update, for peace of mind.

The main takeaway is a mindset: don't decide based on the word "Critical" a scanner shows, alone. Even with a high number, if you also check whether it is actually being exploited (listing on KEV), how easy exploitation is (a metric called EPSS), and the assigning project's rating, it becomes clear whether you truly need to hurry or a routine cycle suffices. In the Apache world, severity often runs hot in the coverage, yet the real severity varies greatly case by case β€” from the AI-discovered HTTP/2 shutdown attack to the login-free Apache MINA flaw. Checking behind the number, one case at a time, prevents both wasted fire-drills and missing the genuine emergencies.

Frequently asked questions

Q. My scanner shows "Critical 9.1." Can I just leave it?

A. Not "leave it" β€” the right move is "update calmly on your normal cycle." The 9.1 is an auto-enriched score; Apache rates it "Low," and no real exploitation has been confirmed. Updating to the fixed version at your next maintenance is enough. If you use RewriteValve or cluster encryption, review the configuration during the update.

Q. Why do the developer and the scanner disagree on severity?

A. What a scanner shows is often a "worst-case"-leaning auto-enriched value assigned mechanically to a vulnerability database. The assigning project (developer) weighs the actual conditions and impact, so it lands closer to reality. When the numbers disagree, prioritize the project's rating and the real exploitation status.

Q. Our Tomcat is on the 8.5 line. What now?

A. Tomcat 8.5 has already reached end of life and will receive no new fixes. Regardless of this issue, plan a migration to the still-supported 9.0 line or later. Running an end-of-life version in production is itself the bigger risk.

In summary

The two disclosed Apache Tomcat vulnerabilities (CVE-2026-59083 and CVE-2026-59084) may show up as "severity 9.1 (Critical)" in scanners and news, but Apache rates both "Low," and there are no reports of real attacks. One is an access-control bypass under a specific RewriteValve configuration; the other is a documentation gap in the first place. Neither calls for stopping the service for emergency response.

What to do is update to 9.0.120 / 10.1.57 / 11.0.24 at your normal cadence, and review the configuration if you use RewriteValve or cluster encryption. That is enough. This case is also a reminder of a basic principle in vulnerability response: don't be swept along by a "Critical" label β€” judge using the assigning project's rating, real exploitation status, and ease of exploitation.

References

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django