| Verdict: DocuShare 7.5, 7.6, 7.7, and 8.0 are NOT affected by any of these six CVEs. No action is required. |
Issue Summary
Six security vulnerabilities affecting Apache Tomcat were reported in 2026. If your organization is performing a security assessment or responding to vulnerability scanner findings, this article explains whether these CVEs affect DocuShare.
DocuShare bundles Apache Tomcat with the standard DocuShare installation. Xerox has investigated the impact of all six CVEs against DocuShare 7.5, 7.6, 7.7, and 8.0. None of the six CVEs are exploitable on a default DocuShare deployment - each one requires a Tomcat feature or configuration that DocuShare does not use.
| Note: The not-affected determination in this article is based on the Tomcat features used by the standard DocuShare configuration, not on reaching a specific Tomcat patch level. See the 'Apache Tomcat Version Reference' section for general Tomcat maintenance guidance. |
Vulnerability Summary
The table below summarizes each CVE, its trigger condition, and whether DocuShare is impacted:
| CVE | Trigger Condition | Affects DocuShare? |
| CVE-2026-41284 | Tomcat's built-in WebDAV servlet in use | No |
| CVE-2026-42498 | WebSocket endpoints with authentication and redirects | No |
| CVE-2026-41293 | HTTP/2 enabled on the Tomcat connector | No |
| CVE-2026-43512 | DIGEST authentication configured in web.xml | No |
| CVE-2026-43513 | LockOutRealm authenticating application users | No |
| CVE-2026-43515 | HTTP method-based security constraints in web.xml | No |
| DocuShare 7.5 / 7.6 / 7.7 / 8.0 | None of the above features are used in a standard DocuShare deployment | Not Affected |
CVE Analysis
CVE-2026-41284 - Apache Tomcat: WebDAV Servlet Request Body Limit Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-41284
This vulnerability is present in Tomcat's built-in WebDAV servlet (org.apache.catalina.servlets.WebdavServlet) when it handles LOCK and PROPFIND requests without enforcing a request-body size limit.
DocuShare is not affected:
- DocuShare includes its own WebDAV implementation mapped to the /dsweb/* path. Tomcat's built-in WebDAV servlet is not registered or enabled in DocuShare's web application configuration.
- Because the vulnerable servlet is not deployed, the vulnerable code path cannot be reached in a DocuShare installation.
| CVE-2026-41284: Not applicable to DocuShare. No action required. |
CVE-2026-42498 - Apache Tomcat: WebSocket Authentication Redirect Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-42498
This vulnerability affects Tomcat deployments that expose WebSocket endpoints with authentication and HTTP redirect handling.
DocuShare is not affected:
- DocuShare does not expose any WebSocket endpoints. The vulnerable code path is not present in a DocuShare deployment.
| CVE-2026-42498: Not applicable to DocuShare. No action required. |
CVE-2026-41293 - Apache Tomcat: HTTP/2 Request Processing Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2026-41293
This vulnerability is triggered when HTTP/2 is enabled on the Tomcat connector.
DocuShare is not affected:
- DocuShare's shipped Tomcat connector configuration does not enable HTTP/2. All HTTP and HTTPS traffic is handled over HTTP/1.1.
- Because HTTP/2 is not enabled, the vulnerable code path is never invoked.
| CVE-2026-41293: Not applicable to DocuShare. No action required. |
CVE-2026-43512 - Apache Tomcat: DIGEST Authentication Credential Exposure
https://nvd.nist.gov/vuln/detail/CVE-2026-43512
This vulnerability is triggered when DIGEST authentication is configured as the authentication method in a web application's deployment descriptor (web.xml).
DocuShare is not affected:
- DocuShare uses its own session-based authentication mechanism. DIGEST authentication is not configured anywhere in DocuShare's web application.
- The DIGEST authentication code path in Tomcat is never invoked in a DocuShare installation.
| CVE-2026-43512: Not applicable to DocuShare. No action required. |
CVE-2026-43513 - Apache Tomcat: LockOutRealm Case-Insensitive Username Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-43513
This vulnerability affects deployments where Tomcat's LockOutRealm is configured with case-insensitive username matching and is actively used to authenticate application users.
DocuShare is not affected:
- While DocuShare's Tomcat configuration does include a LockOutRealm, it wraps Tomcat's UserDatabaseRealm, which is only used for the Tomcat Manager web applications.
- DocuShare does not deploy the Tomcat Manager applications, so the LockOutRealm never processes authentication requests from DocuShare users. The vulnerable code path is never reached.
| CVE-2026-43513: Not applicable to DocuShare. No action required. |
CVE-2026-43515 - Apache Tomcat: HTTP Method Security Constraint Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-43515
This vulnerability is triggered when a web application defines multiple security constraint entries that use HTTP method restrictions on the same URL pattern in the web application's deployment descriptor (web.xml).
DocuShare is not affected:
- DocuShare's web application does not use HTTP method-based security constraints. The configuration pattern required to trigger this vulnerability is not present in any DocuShare deployment.
| CVE-2026-43515: Not applicable to DocuShare. No action required. |
Apache Tomcat Version Reference
The not-affected conclusion for these six CVEs does not depend on upgrading to Apache Tomcat 9.0.106. It depends on the fact that the standard DocuShare deployment does not use the Tomcat features or configuration patterns required to trigger these issues. The version information below is provided as general maintenance guidance for supported DocuShare releases.
| DocuShare Version | Tomcat Version (after Tomcat patch) |
| DocuShare 7.5 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.6 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.7 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 8.0 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| Note: If you have not yet applied the Tomcat patch for your DocuShare version, Xerox still recommends doing so as part of general maintenance and patch hygiene. That maintenance guidance is separate from the not-affected conclusion for the six CVEs covered in this article. Contact Xerox DocuShare Support for the appropriate patch for your version. |
Vulnerability Scanner Findings
If your organization's vulnerability scanner reports any of these six CVEs based on the Tomcat version string alone - without evaluating the required trigger conditions - this article can be used as supporting documentation to demonstrate that DocuShare is not at risk.
This advisory addresses only the six CVEs listed in this article. Other Apache Tomcat security advisories should be evaluated separately.
Summary of why none of the trigger conditions apply to DocuShare:
- CVE-2026-41284: DocuShare uses its own WebDAV implementation, not Tomcat's built-in WebDAV servlet.
- CVE-2026-42498: DocuShare does not expose WebSocket endpoints.
- CVE-2026-41293: DocuShare's Tomcat connector does not enable HTTP/2.
- CVE-2026-43512: DocuShare does not use DIGEST authentication.
- CVE-2026-43513: DocuShare does not deploy Tomcat Manager applications, so LockOutRealm never authenticates DocuShare users.
- CVE-2026-43515: DocuShare's web application does not use HTTP method-based security constraints.
Conclusion
Xerox has reviewed all six CVEs and confirmed that DocuShare 7.5, 7.6, 7.7, and 8.0 are not affected by any of them. No patches, configuration changes, or workarounds are required for DocuShare in response to these CVEs. Applying supported Tomcat patches remains recommended as part of normal product maintenance.