CVE-2026-29146 — Information Exposure via Error Message in Software Foundation Apache Tomcat
Severity
7.5HIGHNVD
EPSS
0.1%
top 71.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 9
Latest updateApr 10
Description
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages1 packages
🔴Vulnerability Details
5VulDB▶
Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18 EncryptInterceptor reliance on obfuscation or encryption of security-relevant inputs without integrity checking↗2026-04-09
GHSA▶
GHSA-h468-7pvh-8vr8: Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration↗2026-04-09
📋Vendor Advisories
3💬Community
3Bugzilla▶
CVE-2026-29146 tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor [fedora-all]↗2026-04-10
Bugzilla▶
CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass↗2026-04-09
Bugzilla▶
CVE-2026-29146 Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor↗2026-04-09