CVE-2026-29129

CWE-327 — Broken Cryptographic Algorithm CWE-158 documents7 sources

Severity

7.5HIGH

No vector

EPSS

0.0%

top 94.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat9.0.114 — 9.0.116+2

▶Mavenorg.apache.tomcat:tomcat-catalina9.0.114 — 9.0.116+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.114 — 9.0.116+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.16 — 11.0.18+2

🔴Vulnerability Details

VulDB

Apache Tomcat up to 9.0.115/10.1.52/11.0.18 Cipher Preference Order information disclosure↗2026-04-09

▶

GHSA

GHSA-69cc-cv78-qc8g: Configured cipher preference order not preserved vulnerability in Apache Tomcat↗2026-04-09

▶

GHSA

Apache Tomcat: Configured cipher preference order not preserved↗2026-04-09

▶

CVEList

Apache Tomcat: TLS cipher order is not preserved↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved↗2026-04-09

▶

💬Community

Bugzilla

CVE-2026-29129 tomcat: Apache Tomcat: Configured cipher preference order not preserved [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-29129 Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved↗2026-04-09

▶