Platform
java
Component
org.apache.tomcat:tomcat-catalina
Fixed in
11.0.20
10.1.53
9.0.116
8.5.101
9.0.116
CVE-2026-25854 describes an Open Redirect vulnerability within the LoadBalancerDrainingValve component of Apache Tomcat. This flaw allows attackers to redirect users to arbitrary, untrusted websites, potentially facilitating phishing attacks or the delivery of malicious content. The vulnerability impacts versions from 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, and 9.0.0.M23 through 9.0.115. Affected users should upgrade to version 11.0.20, 10.1.53, or 9.0.116 to mitigate the risk.
An attacker exploiting this Open Redirect vulnerability can craft malicious URLs that, when clicked by a legitimate user, redirect them to a different website controlled by the attacker. This redirection can be subtle, making it difficult for users to detect they are being manipulated. The attacker could then use this redirection to steal credentials through a fake login page (phishing), distribute malware, or perform other malicious actions. The blast radius extends to any user who interacts with a Tomcat application vulnerable to this redirect, and the potential for widespread impact is significant, particularly in environments with high user traffic or sensitive data.
This vulnerability was publicly disclosed on 2026-04-09. While no active exploitation campaigns have been publicly reported, the ease of exploitation associated with Open Redirect vulnerabilities means it is likely to be targeted. There are currently no known public proof-of-concept exploits. The vulnerability is not listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.03% (7% percentile)
CVSS Vector
The primary mitigation for CVE-2026-25854 is to upgrade Apache Tomcat to a version that includes the fix, specifically 11.0.20, 10.1.53, or 9.0.116. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These might include implementing strict URL validation and sanitization within your application code to prevent redirection to external domains. Web Application Firewalls (WAFs) can be configured with rules to block suspicious redirects. Monitor Tomcat access logs for unusual redirection patterns. After upgrading, verify the fix by attempting to trigger the redirect with a known malicious URL; the redirection should be blocked or prevented.
Upgrade Apache Tomcat to version 8.5.101, 9.0.116, 10.1.53 or 11.0.20 or later to mitigate the occasional open redirect vulnerability. This update corrects an issue in LoadBalancerDrainingValve that could allow unwanted redirects to untrusted sites.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25854 is a Medium severity Open Redirect vulnerability in Apache Tomcat that allows attackers to redirect users to malicious websites. It affects versions ≤9.0.99.
You are affected if you are running Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, or 9.0.0.M23 through 9.0.115.
Upgrade Apache Tomcat to version 11.0.20, 10.1.53, or 9.0.116. Implement URL validation and WAF rules as temporary workarounds if immediate upgrade is not possible.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation suggests it may be targeted.
Refer to the Apache Security Advisories page for the latest information: https://security.apache.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.