cbcvebase.
CVE-2026-29146
published 2026-04-09

CVE-2026-29146: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.49%
87.7th percentile
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Affected

12 ranges
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat>= 10.0.0 < 10.1.5310.1.53
apachetomcat>= 11.0.0 < 11.0.2011.0.20
apachetomcat7.0.100 – 7.0.109
apachetomcat8.5.38 – 8.5.100
apachetomcat>= 9.0.13 < 9.0.1169.0.116
apache_software_foundationapache_tomcat
apache_software_foundationapache_tomcat
apache_software_foundationapache_tomcat

Detection & IOCsextracted from sources · hover to see the quote

port4000
bytes
464c5432303032 (FLT2002 - packet header magic bytes)
bytes
544c4632303033 (TLF2003 - packet trailer magic bytes)
bytes
5452494245532d42 (TRIBES-B - member message header)
bytes
5452494245532d45 (TRIBES-E - member message trailer)
bytes
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff (Java deserialization gadget prefix)
bytes
74000071007e0005740004687474707078740003706f6378 (Java deserialization gadget suffix)
  • Detect exploit attempts by monitoring TCP traffic to port 4000 containing the TRIBES protocol magic bytes 'FLT2002' (hex: 464c5432303032) as packet header and 'TLF2003' (hex: 544c4632303033) as packet trailer, combined with Java deserialization magic bytes 0xaced at the payload offset.
  • The exploit sends an unencrypted serialized Java object (magic bytes aced0005) to the Tribes cluster receiver port (default 4000). Alert on inbound TCP connections to port 4000 carrying aced0005 within the payload.
  • The exploit uses an out-of-band DNS interaction (interactsh) to confirm code execution. Correlate DNS lookups from Tomcat cluster nodes to unexpected external hostnames following inbound connections on port 4000.
  • Shodan query for exposed Apache Tomcat Tribes cluster receivers: product:"Apache Tomcat Tribes". Use this to identify internet-exposed cluster nodes susceptible to unauthenticated exploitation.
  • Affected versions are Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Detect vulnerable instances by version banner and alert if cluster port 4000 is reachable from untrusted networks.
  • ·CVE-2026-29146 (Padding Oracle in EncryptInterceptor) affects a broader range of versions: Tomcat 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. The fix introduced in those versions (11.0.19, 10.1.53, 9.0.116) was itself bypassed by CVE-2026-34486.
  • ·The EncryptInterceptor bypass (CVE-2026-34486) was introduced specifically by the fix for CVE-2026-29146, meaning versions 11.0.20, 10.1.53, and 9.0.116 — which patched the Padding Oracle — are themselves vulnerable to the bypass. Only 11.0.21, 10.1.54, and 9.0.117 resolve both issues.
  • ·The exploit only applies when the Tribes cluster receiver port (default 4000) is network-accessible. The pre-condition check in the PoC template confirms the port must be open before sending the payload.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
vendor_apache8.5HIGH
vendor_redhat8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.