CVE-2026-25854

MEDIUM

Apache Tomcat: Occasionally open redirect

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-25854. PoCs published by gregk4sec.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2026-25854, an open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve. The exploit leverages a crafted URI with leading slashes to trigger a cross-system redirect, potentially affecting SSO/OIDC flows or payment systems.

Description

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Exploits (1)

nomisec WORKING POC

by gregk4sec · poc

https://github.com/gregk4sec/cve-2026-25854

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2026-25854, an open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve. The exploit leverages a crafted URI with leading slashes to trigger a cross-system redirect, potentially affecting SSO/OIDC flows or payment systems.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Apache Tomcat 11.0.x / 10.1.x / 9.x

No auth needed

Prerequisites: Tomcat node in a cluster with LoadBalancerDrainingValve in disabled (draining) state

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/09/21

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 10.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (10)

apache/tomcat 9.0.0 milestone23 (5 CPE variants)

apache/tomcat 9.0.1 - 9.0.116

Apache Software Foundation/Apache Tomcat < 7.0.109

Apache Software Foundation/Apache Tomcat 10.1.0-M1 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.18

Apache Software Foundation/Apache Tomcat 8.5.30 - 8.5.100

Apache Software Foundation/Apache Tomcat 9.0.0.M23 - 9.0.115

org.apache.tomcat/tomcat 8.5.30 - 9.0.116Maven

org.apache.tomcat/tomcat-catalina 8.5.30 - 9.0.116Maven

org.apache.tomcat.embed/tomcat-embed-core 8.5.30 - 9.0.116Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026