CVE-2026-34486
published 2026-04-09CVE-2026-34486: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue…
PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
15.83%
96.5th percentile
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port4000
port4001
othershodan-query: product:"Apache Tomcat Tribes"
bytes
5452494245532d42
bytes
5452494245532d45
bytes
aced0005737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000c770800000010000000017372000c6a6176612e6e65742e55524c962537361afce47203000749000868617368436f6465490004706f72744c0009617574686f726974797400124c6a6176612f6c616e672f537472696e673b4c000466696c6571007e00034c0004686f737471007e00034c000870726f746f636f6c71007e00034c000372656671007e00037870ffffffffffffffff
- →Exploit targets the Apache Tomcat Tribes cluster receiver port (default 4000/tcp). Detect by monitoring for inbound TCP connections on port 4000 carrying the FLT2002/TLF2003 framing magic bytes (0x464c543230303200000000... / 0x544c463230303300000000...) from untrusted sources.
- →The exploit triggers an out-of-band DNS callback to an attacker-controlled interactsh host. Detect successful exploitation by monitoring for unexpected DNS lookups originating from Tomcat server processes.
- →Affected versions are exactly Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Identify exposed instances via Shodan query for product:"Apache Tomcat Tribes" and correlate with version banners. ↗
- →The attack is unauthenticated and requires only network access to the Tribes receiver port. A single crafted TCP packet is sufficient (max-request: 1). Block or firewall port 4000/tcp from untrusted networks as an immediate mitigation.
- ·The vulnerability only affects deployments where the Tribes EncryptInterceptor is configured (i.e., cluster replication is enabled with encryption). Standalone Tomcat instances without clustering are not affected. ↗
- ·No Red Hat mitigation is currently available that meets ease-of-use and deployment criteria; upgrading to fixed versions (11.0.21 / 10.1.54 / 9.0.117) is the only reliable remediation. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
vendor_apache8.5HIGH
vendor_redhat8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
ghsa·2026-04-09·CVSS 7.5
CVE-2026-34486 [HIGH] CWE-311 Apache Tomcat Missing Encryption of Sensitive Data vulnerability
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
VulDB
Apache Tomcat up to 9.0.116/10.1.53/11.0.20 missing encryption
vuldb·2026-04-09·CVSS 8.5
CVE-2026-34486 [HIGH] Apache Tomcat up to 9.0.116/10.1.53/11.0.20 missing encryption
A vulnerability marked as problematic has been reported in Apache Tomcat up to 9.0.116/10.1.53/11.0.20. Affected by this vulnerability is an unknown functionality. The manipulation leads to missing encryption of sensitive data.
This vulnerability is referenced as CVE-2026-34486. Remote exploitation of the attack is possible. No exploit is available.
It is suggested to upgrade the affected component.
GHSA
GHSA-69r9-qgr7-g2wj: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor
ghsa_unreviewed·2026-04-09·CVSS 7.5
CVE-2026-34486 [HIGH] CWE-311 GHSA-69r9-qgr7-g2wj: Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Red Hat
Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
vendor_redhat·2026-04-09·CVSS 8.5
CVE-2026-34486 [HIGH] CWE-807 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
A flaw was found in Apache Tomcat. This vulnerability, categorized as Missing Encryption of Sensitive Data, arises from a bypass in the EncryptInterceptor, a component designed to ensure data encryption. This bypass, introduced as a fix for CVE-2026-29146, allows sensitive data to remain unencrypted, potentially leading to information disclosure.
Statement: This is an Important flaw in Apache Tomcat where a bypass in the EncryptInterceptor allows sensitive data to remain unencrypted. This could lead to information disclosure in Red Hat Enterprise Linux and Red Hat JBoss Web Server environments utilizing affected versions of Apache Tomcat.
Mitigation: Mitigation for this issue is either no
Apache
Apache tomcat: CVE-2026-29146
vendor_apache·CVSS 8.5
CVE-2026-29146 [HIGH] Apache tomcat: CVE-2026-29146
Apache tomcat: CVE-2026-29146
CVE-2026-34486 An error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed. This was fixed with commit 1fab40cc . This issue was reported to the Tomcat security team on 26 March 2026. The issue was made public on 9 April 2026. Affects: 11.0.20
Severity: high
No detection rules found.
Nuclei
Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
nuclei·CVSS 7.5
CVE-2026-34486 [HIGH] Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Template:
id: CVE-2026-34486
info:
name: Apache Tomcat Tribes EncryptInterceptor Bypass - Remote Code Execution
author: DhiyaneshDk
severity: critical
description: |
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
impact: |
An unauthenticated attacker can achieve remote code execution by sending an unencrypted serialized Java object to the Tribes clus
Bugzilla
CVE-2026-34486 tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass [fedora-all]
bugzilla·2026-04-10·CVSS 8.5
CVE-2026-34486 [HIGH] CVE-2026-34486 tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass [fedora-all]
CVE-2026-34486 tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
bugzilla·2026-04-09·CVSS 8.5
CVE-2026-34486 [HIGH] CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
CVE-2026-34486 Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrlyhttps://www.vicarius.io/vsociety/posts/cve-2026-34486-detection-script-rce-on-apache-tomcathttps://www.vicarius.io/vsociety/posts/cve-2026-34486-mitigation-script-rce-on-apache-tomcathttps://access.redhat.com/security/cve/CVE-2026-34486https://bugzilla.redhat.com/show_bug.cgi?id=2457027https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34486.json
2026-04-09
Published