Skip to main content

Security Advisory: Apache Tomcat CVE-2026-41284 and Xerox DocuShare

Updated
Summary:  Xerox assessed DocuShare for Apache Tomcat CVE-2026-41284 and determined that DocuShare is not affected because the vulnerability is in Tomcat's built-in WebDAV servlet, while DocuShare uses its own WebDAV implementation and does not deploy the Tomcat servlet path required for exploitation.

 

Applies To

DocuShare ReleaseGuidance
DocuShare 7.5No action required for the shipped configuration.
DocuShare 7.6No action required for the shipped configuration.
DocuShare 7.7No action required for the shipped configuration.
DocuShare 8.0No action required for the shipped configuration.

 

Overview

CVE-2026-41284 is an Apache Tomcat WebDAV servlet request-body limit issue tied to Tomcat's built-in WebdavServlet.

Xerox DocuShare reviewed the deployed DocuShare application model and confirmed that the built-in Tomcat WebDAV servlet is not the WebDAV implementation used by DocuShare.

What the Vulnerability Requires

The vulnerability depends on the built-in Tomcat WebDAV servlet being deployed and handling relevant traffic.

  • Tomcat configured to expose the built-in WebDAV servlet.
  • The built-in servlet handling the relevant LOCK or PROPFIND request path.
  • Traffic reaching that Tomcat WebDAV code path in the first place.

DocuShare Assessment

Assessment ItemFinding
WebDAV implementation used by DocuShareDocuShare uses its own WebDAV implementation
Tomcat built-in WebDAV servlet in supported deploymentNot deployed for DocuShare application traffic
Customer guidanceStandard DocuShare deployments are not affected

 

Important:  If your organization has separately deployed Tomcat's built-in WebDAV servlet outside the standard DocuShare application model, that custom path should be reviewed independently.

 

What You Should Do

  • No action is required for a standard Xerox DocuShare deployment.
  • If you have independently enabled Tomcat's built-in WebDAV servlet, review that customization carefully.
  • Do not confuse Tomcat's built-in WebDAV servlet with DocuShare's own WebDAV implementation.

Related articles