CVE-2026-34487

CWE-532 — Log File Information Exposure CWE-5388 documents7 sources

Severity

7.5HIGH

No vector

EPSS

0.0%

top 91.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Affected Packages4 packages

▶Mavenorg.apache.tomcat:tomcat9.0.13 — 9.0.117+2

▶Mavenorg.apache.tomcat:tomcat-catalina9.0.13 — 9.0.117+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.13 — 9.0.117+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.20+2

🔴Vulnerability Details

CVEList

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token↗2026-04-09

▶

GHSA

GHSA-x4m4-345f-5h5g: Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernete↗2026-04-09

▶

GHSA

Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File↗2026-04-09

▶

VulDB

Apache Tomcat up to 9.0.116/10.1.53/11.0.20 Bearer Token log file↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files↗2026-04-09

▶

💬Community

Bugzilla

CVE-2026-34487 tomcat: Apache Tomcat: Information disclosure via sensitive data in log files [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-34487 Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files↗2026-04-09

▶