Platform
java
Component
org.apache.tomcat:tomcat-coyote
Fixed in
11.0.20
10.1.53
9.0.116
9.0.116
CVE-2026-32990 describes an improper input validation vulnerability discovered in Apache Tomcat. This issue stems from an incomplete remediation of a previous vulnerability (CVE-2025-66614), potentially allowing attackers to exploit weaknesses in request parsing. The vulnerability impacts Apache Tomcat versions 11.0.15 through 11.0.19, 10.1.50 through 10.1.52, and 9.0.113 through 9.0.115. Affected users should upgrade to a patched version.
Successful exploitation of CVE-2026-32990 could lead to remote code execution (RCE) on the affected Tomcat server. An attacker could potentially inject malicious code into HTTP requests, which, if improperly handled, could be executed by the Tomcat process. This could result in complete server compromise, including data theft, modification, or destruction. The blast radius extends to any application deployed on the Tomcat server, potentially impacting sensitive data and services. While the specific attack vectors are not detailed, the potential for RCE highlights the severity of this vulnerability.
CVE-2026-32990 was published on 2026-04-09. Its existence is tied to an incomplete fix for CVE-2025-66614, suggesting a potential for similar exploitation techniques. As of this writing, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.19% (40% percentile)
CVSS Vector
The primary mitigation for CVE-2026-32990 is to upgrade to a patched version of Apache Tomcat. Specifically, upgrade to version 9.0.116, 10.1.53, or 11.0.20. If immediate upgrading is not feasible, consider implementing temporary workarounds such as strengthening input validation routines within your applications deployed on Tomcat. Web Application Firewalls (WAFs) configured to inspect and filter HTTP requests can also provide a layer of defense by blocking potentially malicious input. After upgrading, confirm the fix by attempting to reproduce the vulnerability using known attack patterns and verifying that the requests are now properly handled.
Update Apache Tomcat to version 11.0.20, 10.1.53 or 9.0.116 to mitigate the improper input validation vulnerability. This update corrects a deficiency that was not fully addressed in a previous fix (CVE-2025-66614).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32990 is a vulnerability in Apache Tomcat stemming from an incomplete fix for CVE-2025-66614, potentially allowing remote code execution. It affects versions ≤9.0.115 and requires immediate attention.
If you are running Apache Tomcat versions 11.0.15-11.0.19, 10.1.50-10.1.52, or 9.0.113-9.0.115, you are potentially affected by this vulnerability. Upgrade to a patched version to mitigate the risk.
Upgrade to Apache Tomcat version 9.0.116, 10.1.53, or 11.0.20. These versions include the necessary fixes to address the improper input validation vulnerability.
As of the current date, there are no publicly known active exploitation campaigns targeting CVE-2026-32990. However, given the potential for RCE, it is crucial to apply the patch promptly.
Refer to the Apache Tomcat Security Advisory for CVE-2026-32990 on the Apache website: [https://security.apache.org/](https://security.apache.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.