cbcvebase.
CVE-2026-34486
published 2026-04-09

CVE-2026-34486: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue…

PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
15.83%
96.5th percentile
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

port4000
port4001
othershodan-query: product:"Apache Tomcat Tribes"
bytes
5452494245532d42
bytes
5452494245532d45
bytes
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff
  • Exploit targets the Apache Tomcat Tribes cluster receiver port (default 4000/tcp). Detect by monitoring for inbound TCP connections on port 4000 carrying the FLT2002/TLF2003 framing magic bytes (0x464c543230303200000000... / 0x544c463230303300000000...) from untrusted sources.
  • The exploit triggers an out-of-band DNS callback to an attacker-controlled interactsh host. Detect successful exploitation by monitoring for unexpected DNS lookups originating from Tomcat server processes.
  • Affected versions are exactly Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Identify exposed instances via Shodan query for product:"Apache Tomcat Tribes" and correlate with version banners.
  • The attack is unauthenticated and requires only network access to the Tribes receiver port. A single crafted TCP packet is sufficient (max-request: 1). Block or firewall port 4000/tcp from untrusted networks as an immediate mitigation.
  • ·The vulnerability only affects deployments where the Tribes EncryptInterceptor is configured (i.e., cluster replication is enabled with encryption). Standalone Tomcat instances without clustering are not affected.
  • ·No Red Hat mitigation is currently available that meets ease-of-use and deployment criteria; upgrading to fixed versions (11.0.21 / 10.1.54 / 9.0.117) is the only reliable remediation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
vendor_apache8.5HIGH
vendor_redhat8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.