Incorrect control flow in rewrite valve allows unexpected rule processing
Summary
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support may also be affected. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fix the issue. A flaw was found in Apache Tomcat's rewrite valve. This vulnerability involves an incorrect control flow implementation where, during the processing of rewrite rules, if the first condition in an OR chain matched, subsequent non-OR conditions were unexpectedly skipped. This can lead to unintended rule processing, potentially allowing for security bypasses or unauthorized access due to misapplied configurations. A flaw was found in Apache Tomcat's RewriteValve. When rewrite rules use OR-chained conditions followed by non-OR conditions, the processing logic may not evaluate conditions correctly, potentially allowing unintended rule matches. Exploitation requires the RewriteValve to be enabled with specific OR-chained condition patterns, which is not a default configuration. Red Hat severity: Moderate — CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). Weakness: CWE-358. Fixed by RHSA-2026:29203, RHSA-2026:32960 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- tomcat11-main-11.0.23-0.1.hum1
- tomcat10-main-10.1.56-1.hum1
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
- tomcat10-main-10.1.56-1.hum1
- tomcat11-main-11.0.23-0.1.hum1
- RHSA-2026:29203
- RHSA-2026:32960
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Mitigation checklist
- This vulnerability only affects Tomcat deployments that use the RewriteValve with OR-chained rewrite conditions. Deployments that do not use the RewriteValve are not affected. Review rewrite rules for OR-chained conditions and test rule evaluation behavior.
Official advisory · high-confidence parse· fetched 1 hour ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.