Apache Tomcat - HTTP/2 request headers not validated — CVE-2026-41293

GitHub · GitHub · CVE-2026-41293

ID
CVE-2026-41293

Date
2026-05-12

Updated
2026-05-18

Activity
2026-05-18

Source
GitHub

Vendor
GitHub

Threat
critical

CVSS
9.8

EPSS
0.00253

Summary

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: HTTP/2 request headers were not validated which may have triggered unexpected application behaviour if the application (quite reasonably) assumed that header value exposed through the Servlet API would be specification compliant.…

Product

maven: org.apache.tomcat.embed:tomcat-embed-core | maven: org.apache.tomcat:tomcat | maven: org.apache.tomcat:tomcat-catalina

What to do

General, cautious steps (verify details in the official source):

Prioritize patching or mitigation immediately (treat as actively risky).
Identify affected product versions in your inventory and verify whether you are impacted.
Apply vendor patches/updates or recommended mitigations as soon as available.
Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21

Apache Tomcat - HTTP/2 request headers not validated — CVE-2026-41293

Summary

Product

What to do

Official advisory

Related advisories

Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter

Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override

Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users