CVE-2026-24733 is a medium-severity vulnerability in Apache Tomcat caused by improper input validation related to HTTP/0.9 request handling. Apache Tomcat historically supports multiple HTTP versions, including the obsolete HTTP/0.9 protocol, which only supports the GET method. However, Tomcat failed to enforce this restriction, allowing HTTP/0.9 requests to use the HEAD method. This behavior violates the HTTP specification and creates a security bypass scenario. Specifically, if a security constraint in Tomcat is configured to allow HEAD requests to a URI but deny GET requests, an attacker can send a malformed HTTP/0.9 HEAD request to bypass the GET restriction. This bypass allows unauthorized access to resources that should be protected under the GET method constraints. The vulnerability affects multiple major Tomcat branches: 9.x, 10.x, and 11.x, including milestone and stable releases up to the specified versions. The flaw stems from inadequate input validation and protocol enforcement in the HTTP request parser. Although no known exploits have been reported, the vulnerability could be leveraged in environments where fine-grained HTTP method restrictions are critical for access control. The Apache Software Foundation has addressed this issue in Tomcat versions 9.0.113, 10.1.50, and 11.0.15 by properly limiting HTTP/0.9 requests to the GET method only, thereby closing the bypass vector.

The primary impact of this vulnerability is unauthorized access to protected resources due to bypassing HTTP method-based security constraints. Organizations using Apache Tomcat to enforce access controls based on HTTP methods (e.g., allowing HEAD but denying GET) may inadvertently expose sensitive data or functionality. This can compromise confidentiality and integrity of web applications hosted on affected Tomcat servers. Since the vulnerability does not affect availability and does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers. The scope includes all web applications relying on Tomcat's HTTP method constraints for security. Given Tomcat's widespread use in enterprise, government, and cloud environments worldwide, the vulnerability poses a moderate risk to organizations that have not applied the patch. Exploitation could facilitate reconnaissance, data leakage, or further attacks leveraging unauthorized access. Although no active exploitation is currently known, the ease of exploitation and the broad deployment of Tomcat increase the potential impact if weaponized.

To mitigate CVE-2026-24733, organizations should immediately upgrade affected Apache Tomcat instances to versions 9.0.113, 10.1.50, or 11.0.15 or later, where the vulnerability is fixed. In environments where immediate upgrade is not feasible, administrators should consider disabling support for HTTP/0.9 requests entirely if possible, as this protocol is obsolete and rarely needed. Review and audit security constraints configured in Tomcat to ensure that method-based access controls are correctly enforced and do not rely solely on HEAD/GET distinctions. Implement network-level controls such as web application firewalls (WAFs) to detect and block malformed or non-standard HTTP requests, including HTTP/0.9 requests. Monitor server logs for unusual HTTP/0.9 traffic patterns that could indicate exploitation attempts. Additionally, conduct security testing and penetration testing focused on HTTP method handling to validate that access controls are effective. Finally, maintain an up-to-date inventory of Tomcat versions deployed across the organization to ensure timely patch management.