CVE-2026-29146
published 2026-04-09CVE-2026-29146: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.49%
87.7th percentile
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | >= 10.0.0 < 10.1.53 | 10.1.53 |
| apache | tomcat | >= 11.0.0 < 11.0.20 | 11.0.20 |
| apache | tomcat | 7.0.100 – 7.0.109 | — |
| apache | tomcat | 8.5.38 – 8.5.100 | — |
| apache | tomcat | >= 9.0.13 < 9.0.116 | 9.0.116 |
| apache_software_foundation | apache_tomcat | — | — |
| apache_software_foundation | apache_tomcat | — | — |
| apache_software_foundation | apache_tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port4000
bytes
464c5432303032 (FLT2002 - packet header magic bytes)
bytes
544c4632303033 (TLF2003 - packet trailer magic bytes)
bytes
5452494245532d42 (TRIBES-B - member message header)
bytes
5452494245532d45 (TRIBES-E - member message trailer)
bytes
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff (Java deserialization gadget prefix)
bytes
74000071007e0005740004687474707078740003706f6378 (Java deserialization gadget suffix)
- →Detect exploit attempts by monitoring TCP traffic to port 4000 containing the TRIBES protocol magic bytes 'FLT2002' (hex: 464c5432303032) as packet header and 'TLF2003' (hex: 544c4632303033) as packet trailer, combined with Java deserialization magic bytes 0xaced at the payload offset.
- →The exploit sends an unencrypted serialized Java object (magic bytes aced0005) to the Tribes cluster receiver port (default 4000). Alert on inbound TCP connections to port 4000 carrying aced0005 within the payload.
- →The exploit uses an out-of-band DNS interaction (interactsh) to confirm code execution. Correlate DNS lookups from Tomcat cluster nodes to unexpected external hostnames following inbound connections on port 4000.
- →Shodan query for exposed Apache Tomcat Tribes cluster receivers: product:"Apache Tomcat Tribes". Use this to identify internet-exposed cluster nodes susceptible to unauthenticated exploitation.
- →Affected versions are Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Detect vulnerable instances by version banner and alert if cluster port 4000 is reachable from untrusted networks. ↗
- ·CVE-2026-29146 (Padding Oracle in EncryptInterceptor) affects a broader range of versions: Tomcat 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. The fix introduced in those versions (11.0.19, 10.1.53, 9.0.116) was itself bypassed by CVE-2026-34486. ↗
- ·The EncryptInterceptor bypass (CVE-2026-34486) was introduced specifically by the fix for CVE-2026-29146, meaning versions 11.0.20, 10.1.53, and 9.0.116 — which patched the Padding Oracle — are themselves vulnerable to the bypass. Only 11.0.21, 10.1.54, and 9.0.117 resolve both issues. ↗
- ·The exploit only applies when the Tribes cluster receiver port (default 4000) is network-accessible. The pre-condition check in the PoC template confirms the port must be open before sending the payload.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
vendor_apache8.5HIGH
vendor_redhat8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
ghsa·2026-04-09·CVSS 7.5
CVE-2026-34486 [HIGH] CWE-311 Apache Tomcat Missing Encryption of Sensitive Data vulnerability
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
GHSA
GHSA-69r9-qgr7-g2wj: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor
ghsa_unreviewed·2026-04-09·CVSS 7.5
CVE-2026-34486 [HIGH] CWE-311 GHSA-69r9-qgr7-g2wj: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
VulDB
Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18 EncryptInterceptor reliance on obfuscation or encryption of security-relevant inputs without integrity checking
vuldb·2026-04-09·CVSS 7.5
CVE-2026-29146 [HIGH] Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18 EncryptInterceptor reliance on obfuscation or encryption of security-relevant inputs without integrity checking
A vulnerability, which was classified as problematic, was found in Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18. Affected is an unknown function of the component EncryptInterceptor. The manipulation results in reliance on obfuscation or encryption of security-relevant inputs without integrity checking.
This vulnerability is reported as CVE-2026-29146. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
GHSA
GHSA-h468-7pvh-8vr8: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration
ghsa_unreviewed·2026-04-09
CVE-2026-29146 GHSA-h468-7pvh-8vr8: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
GHSA
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
ghsa·2026-04-09
CVE-2026-29146 [HIGH] CWE-209 Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Red Hat
Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
vendor_redhat·2026-04-09·CVSS 7.5
CVE-2026-29146 [HIGH] CWE-1240 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
A flaw was found in Apache Tomcat. This Padding Oracle vulnerability, present in the EncryptInterceptor with its default configuration, could allow a remote attacker to decrypt sensitive information. By exploiting weaknesses in the encryption padding, an attacker may be able to gain unauthorized access to data t
Red Hat
Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
vendor_redhat·2026-04-09·CVSS 8.5
CVE-2026-34486 [HIGH] CWE-807 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
A flaw was found in Apache Tomcat. This vulnerability, categorized as Missing Encryption of Sensitive Data, arises from a bypass in the EncryptInterceptor, a component designed to ensure data encryption. This bypass, introduced as a fix for CVE-2026-29146, allows sensitive data to remain unencrypted, potentially leading to information disclosure.
Statement: This is an Important flaw in Apache Tomcat where a bypass in the EncryptInterceptor allows sensitive data to remain unencrypted. This could lead to information disclosure in Red Hat Enterprise Linux and Red Hat JBoss Web Server environments utilizing affected versions of Apache Tomcat.
Mitigation: Mitigation for this issue is either no
Apache
Apache tomcat: CVE-2026-29146
vendor_apache·CVSS 8.5
CVE-2026-29146 [HIGH] Apache tomcat: CVE-2026-29146
Apache tomcat: CVE-2026-29146
CVE-2026-34486 An error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed. This was fixed with commit 1fab40cc . This issue was reported to the Tomcat security team on 26 March 2026. The issue was made public on 9 April 2026. Affects: 11.0.20
Severity: high
No detection rules found.
Nuclei
Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
nuclei·CVSS 7.5
CVE-2026-34486 [HIGH] Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Template:
id: CVE-2026-34486
info:
name: Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
impact: |
An unauthenticated attacker can achieve remote code execution by sending an unencrypted serialized Java object to the Tribes clus
Bugzilla
CVE-2026-29146 tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor [fedora-all]
bugzilla·2026-04-10·CVSS 7.5
CVE-2026-29146 [HIGH] CVE-2026-29146 tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor [fedora-all]
CVE-2026-29146 tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
bugzilla·2026-04-09·CVSS 8.5
CVE-2026-34486 [HIGH] CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Bugzilla
CVE-2026-29146 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
bugzilla·2026-04-09·CVSS 7.5
CVE-2026-29146 [HIGH] CVE-2026-29146 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
CVE-2026-29146 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0whttp://www.openwall.com/lists/oss-security/2026/04/09/24https://access.redhat.com/errata/RHSA-2026:20405https://access.redhat.com/errata/RHSA-2026:20406https://access.redhat.com/security/cve/CVE-2026-29146https://bugzilla.redhat.com/show_bug.cgi?id=2457020https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29146.json
2026-04-09
Published