CVE-2026-34486

CWE-311 CWE-8079 documents8 sources

Severity

7.5HIGH

No vector

EPSS

0.0%

top 98.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat11.0.20 — 11.0.21+2

▶Mavenorg.apache.tomcat:tomcat-catalina11.0.20 — 11.0.21+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.20 — 11.0.21+2

▶CVEListV5apache_software_foundation/apache_tomcat10.1.53, 11.0.20, 9.0.116+2

🔴Vulnerability Details

GHSA

Apache Tomcat Missing Encryption of Sensitive Data vulnerability↗2026-04-09

▶

VulDB

Apache Tomcat up to 9.0.116/10.1.53/11.0.20 missing encryption↗2026-04-09

▶

GHSA

GHSA-69r9-qgr7-g2wj: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor↗2026-04-09

▶

CVEList

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass↗2026-04-09

▶

Apache

Apache tomcat: CVE-2026-29146↗

▶

💬Community

Bugzilla

CVE-2026-34486 tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass↗2026-04-09

▶