CVE-2026-24733

Improper Input Validation vulnerability in Apache Tomcat.<br /> <br /> <br /> Tomcat did not limit HTTP/0.9 requests to the GET method. If a security <br /> constraint was configured to allow HEAD requests to a URI but deny GET <br /> requests, the user could bypass that constraint on GET requests by <br /> sending a (specification invalid) HEAD request using HTTP/0.9.<br /> <br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112.<br /> <br /> <br /> Older, EOL versions are also affected.<br /> <br /> Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue.