Security Advisory: DocuShare Not Affected by CVE-2026-24733, CVE-2025-66614, or CVE-2026-29000

Security Advisory: DocuShare Not Affected by
CVE-2026-24733, CVE-2025-66614, or CVE-2026-29000

Overview

Multiple customers have inquired about three Common Vulnerabilities and Exposures (CVEs) reported against Apache Tomcat and the pac4j-jwt library. This advisory summarizes Xerox's assessment of whether DocuShare is vulnerable to each CVE.

DocuShare uses Apache Tomcat 9.0.106 as its embedded web server on a fully patched installation. Although Tomcat 9.0.106 falls within the affected version ranges cited by CVE-2026-24733 and CVE-2025-66614, exploitation of both CVEs requires specific Tomcat configurations that DocuShare does not use. DocuShare therefore remains unaffected.

CVE Assessment Summary

Detailed Assessment

CVE-2026-24733 - Apache Tomcat: Partial PUT Security Bypass

This vulnerability allows an attacker to bypass HTTP method-based security constraints. Specifically, it applies when a web application defines security constraints that allow one HTTP method (for example, HEAD) while restricting another (for example, GET) on the same resource.

DocuShare assessment:

• DocuShare does not define any HTTP method-based security constraints of this type.
• The only security constraints present in DocuShare's Tomcat configuration (within the Solr component) disable the HTTP TRACE method. This is a standard security hardening practice and is not exploitable by CVE-2026-24733.
• Conclusion: DocuShare is NOT affected. No Tomcat upgrade is required for this CVE.

CVE-2025-66614 - Apache Tomcat: TLS Client Authentication Bypass

This vulnerability enables an attacker to bypass TLS client certificate authentication when a Tomcat server is configured with multiple virtual hosts and client certificate authentication enabled at the Tomcat Connector level.

DocuShare assessment:

• DocuShare runs Tomcat with a single virtual host ("localhost"). Multiple virtual hosts are not configured and are not part of any supported deployment.
• DocuShare does not enable client certificate authentication at the Tomcat Connector level.
• Both prerequisite conditions must be present for this CVE to be exploitable. Neither condition exists in DocuShare.
• Conclusion: DocuShare is NOT affected. No Tomcat upgrade is required for this CVE.

CVE-2026-29000 - pac4j-jwt: Insecure Default Signature Algorithm

This vulnerability exists in the pac4j-jwt library and allows an attacker to craft JSON Web Tokens (JWTs) that bypass signature verification when the library defaults to an insecure algorithm.

DocuShare assessment:

• DocuShare does not include or use the pac4j-jwt library in any version.
• This CVE is not applicable to DocuShare.
• Conclusion: DocuShare is NOT affected.

Recommendation

If your organization's security policy requires patching all software within an affected version range regardless of exploitability, please contact Xerox DocuShare Support to discuss your options and any available patch releases.

Apache Tomcat Version Reference

The CVE analysis in this article is based on Apache Tomcat 9.0.106, which is the version in use on a fully patched DocuShare installation. Older DocuShare versions ship with an earlier Tomcat build and require a Tomcat patch to be applied to reach version 9.0.106. The Tomcat patch is available from the DocuShare support portal for each supported release.

The Tomcat version for each supported DocuShare release, after applying the applicable Tomcat patch, is:

• DocuShare 7.5 - Apache Tomcat 9.0.106 (requires Tomcat patch)
• DocuShare 7.6 - Apache Tomcat 9.0.106 (requires Tomcat patch)
• DocuShare 7.7 - Apache Tomcat 9.0.106 (requires Tomcat patch)
• DocuShare 8.0 - Apache Tomcat 9.0.106 (requires Tomcat patch)

Applies To