CVE-2026-24733: Apache Tomcat - Security Constraint Bypass with HTTP/0.9 Severity Low Vendor The Apache Software Foundation Versions Affected Apache Tomcat 11.0.0-M1 to 11.0.14 Apache Tomcat 10.1.0-M1 to 10.1.49 Apache Tomcat 9.0.0.M1 to 9.0.112 Older, EOL versions are also affected Description Apache Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. Mitigation Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.15 or later Upgrade to Apache Tomcat 10.1.50 or later Upgrade to Apache Tomcat 9.0.113 or later Credit This issue was identified by the Apache Tomcat security team History 2026-02-17: Original advisory References 1. https://tomcat.apache.org/security-11.html 2. https://tomcat.apache.org/security-10.html 3. https://tomcat.apache.org/security-9.html