| Summary: Xerox assessed DocuShare for Apache Tomcat CVE-2026-43513 and determined that DocuShare is not affected because the Tomcat LockOutRealm in the standard configuration is not used to authenticate DocuShare application users. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | No action required for the shipped configuration. |
| DocuShare 7.6 | No action required for the shipped configuration. |
| DocuShare 7.7 | No action required for the shipped configuration. |
| DocuShare 8.0 | No action required for the shipped configuration. |
Overview
CVE-2026-43513 is an Apache Tomcat LockOutRealm case-insensitive username issue. The vulnerability matters only when LockOutRealm is actively used for application-user authentication.
Xerox DocuShare reviewed the supported DocuShare deployment model and determined that the relevant LockOutRealm path is not used to authenticate DocuShare users.
What the Vulnerability Requires
The vulnerability depends on a Tomcat authentication path that is not part of standard DocuShare user authentication.
- LockOutRealm configured for the relevant Tomcat deployment.
- Case-insensitive username handling in that realm path.
- The realm being used to authenticate application users rather than Tomcat administrative applications only.
DocuShare Assessment
| Assessment Item | Finding |
| LockOutRealm presence in standard Tomcat configuration | Present only around the Tomcat UserDatabaseRealm path |
| Tomcat Manager applications in supported DocuShare deployment | Not deployed as customer-facing DocuShare applications |
| Customer guidance | Standard DocuShare deployments are not affected |
| Important: If your organization has introduced Tomcat administrative applications or alternate realm usage outside the Xerox-supported DocuShare model, review those changes separately. |
What You Should Do
- No action is required for a standard Xerox DocuShare deployment.
- If you have introduced custom Tomcat realm behavior or Tomcat administrative applications, review those changes carefully.
- Do not treat the presence of LockOutRealm alone as proof of exposure; the authentication path actually in use is what matters.