Back

Multiple Vulnerabilities in Apache Tomcat Expose Sensitive Data Risks

Severity: High (Score: 69.2)

Sources: nvd.nist.gov

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: apache, tomcat, through, enrichment, data, cve-2026-29146, cve-2026-34486

Severity indicators: CVE:CVE-2026-29146, CVE:CVE-2026-29146, CVE:CVE-2026-34486

Summary

Two critical vulnerabilities have been identified in Apache Tomcat, CVE-2026-34486 and CVE-2026-29146. CVE-2026-34486 allows bypassing of the EncryptInterceptor due to missing encryption of sensitive data, affecting versions 11.0.20, 10.1.53, and 9.0.116. CVE-2026-29146 is a Padding Oracle vulnerability impacting earlier versions from 11.0.0-M1 to 11.0.18, among others. Users are urged to upgrade to the latest versions to mitigate these risks. The vulnerabilities were published on April 9, 2026, and the first public proof of concept for CVE-2026-34486 was released on April 15, 2026. The scope of impact includes a wide range of Apache Tomcat versions, making it critical for users to act promptly. Key Points: • CVE-2026-34486 allows bypassing of encryption in Apache Tomcat versions 11.0.20, 10.1.53, and 9.0.116. • CVE-2026-29146 is a Padding Oracle vulnerability affecting multiple earlier versions of Tomcat. • Users are recommended to upgrade to the latest versions to mitigate these vulnerabilities.

Detailed Analysis

**Impact** Apache Tomcat users across multiple versions (7.0.100 through 11.0.20) are affected by vulnerabilities that expose sensitive data through encryption bypass and padding oracle attacks. This impacts organizations relying on Tomcat for web application hosting globally, potentially exposing encrypted communications and sensitive data to unauthorized access. The scope includes all sectors using affected versions, with no specific geographic or sectoral data provided. **Technical Details** Two vulnerabilities are involved: CVE-2026-29146, a padding oracle vulnerability in the EncryptInterceptor affecting versions 7.0.100 through 11.0.18, and CVE-2026-34486, a missing encryption vulnerability due to a fix bypass in versions 9.0.116 through 11.0.20. The attack vector exploits weaknesses in Tomcat’s encryption interceptor during data transmission, enabling attackers to decrypt sensitive data. No malware, tools, or IOCs are detailed in the sources. **Recommended Response** Users should urgently upgrade affected Apache Tomcat instances to versions 11.0.21, 10.1.54, or 9.0.117 to address both vulnerabilities. Monitoring for unusual decryption attempts or anomalous traffic related to EncryptInterceptor should be implemented. Harden configurations by reviewing encryption settings and disabling default configurations vulnerable to padding oracle attacks. No additional IOCs or detection signatures are provided.

Source articles (2)

  • CVE-2026-34486 — nvd.nist.gov · 2026-05-28
    This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes. Missing Encryption of Sensitive Data vulne…
  • CVE-2026-29146 — nvd.nist.gov · 2026-05-28
    Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.…

Timeline

  • 2026-04-09 — CVE-2026-34486 published: CVE-2026-34486 was published, detailing a vulnerability in Apache Tomcat affecting several versions.
  • 2026-04-09 — CVE-2026-29146 published: CVE-2026-29146 was published, describing a Padding Oracle vulnerability in Apache Tomcat.
  • 2026-04-15 — First public PoC for CVE-2026-34486: The first public proof of concept for CVE-2026-34486 was released, demonstrating the vulnerability.
  • Recent — Users urged to upgrade Apache Tomcat: Users are recommended to upgrade to versions 11.0.21, 10.1.54, or 9.0.117 to fix the vulnerabilities.

CVEs

  • CVE-2026-29146
  • CVE-2026-34486

Related entities

  • CWE-311 - Missing Encryption of Sensitive Data (Cwe)
  • Apache Tomcat (Platform)
  • Missing Encryption Of Sensitive Data Vulnerability (Vulnerability)
  • Padding Oracle Vulnerability In Apache Tomcat EncryptInterceptor (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed