Apache Tomcat Vulnerabilities Let Attackers Bypass Security Constraints via HTTP/0.9 Requests

Apache Tomcat has a CVE-2026-24733 vulnerability that allows attackers to bypass security constraints via HTTP/0.9 requests when specific access-control rules are configured. This issue requires a particular configuration where HEAD requests are allowed but GET requests are denied, and an attacker must be able to send crafted HTTP/0.9 traffic.

Edward Kiledjian @ekiledjian