Apache Tomcat Patches Critical Vulnerabilities Exposing Encryption and Certificate Validation Flaws
Apache Tomcat has released urgent security updates addressing three critical vulnerabilities that could allow attackers to bypass encryption protections or exploit flawed certificate validation in enterprise web environments.
The first flaw, CVE-2026-29146, affects Tomcat’s EncryptInterceptor component, which secures session data using CBC-mode encryption. Researchers discovered the implementation was vulnerable to a padding oracle attack, enabling attackers to analyze server responses and extract sensitive encrypted data. Impacted versions include Tomcat 11.0.0-M1 to 11.0.18, 10.1.0-M1 to 10.1.52, and 9.0.13 to 9.0.115.
A subsequent patch for CVE-2026-29146 introduced a second vulnerability, CVE-2026-34486, due to a coding error that allowed attackers to bypass EncryptInterceptor entirely. This flaw affects Tomcat 11.0.20, 10.1.53, and 9.0.116, leaving systems exposed despite prior remediation efforts.
The third issue, CVE-2026-34500, involves Tomcat’s Online Certificate Status Protocol (OCSP) validation. In configurations using the Foreign Function and Memory API, revoked or invalid certificates could be incorrectly accepted, even with soft-fail disabled. Affected versions span Tomcat 11.0.0-M14 to 11.0.20, 10.1.22 to 10.1.53, and 9.0.92 to 9.0.116, potentially granting unauthorized access to attackers using compromised certificates.
Apache has released fixed versions Tomcat 11.0.21, 10.1.54, and 9.0.117 and urges administrators to upgrade immediately, particularly if EncryptInterceptor or certificate-based authentication is enabled. The vulnerabilities underscore the risks of incomplete patches and the need for rigorous validation in web infrastructure security.
Source: https://cyberpress.org/apache-tomcat-vulnerability-2/
The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation
"id": "THE1776083789",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Enterprises using affected '
'Tomcat versions',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'Apache Tomcat',
'type': 'Software'}],
'attack_vector': 'Network',
'customer_advisories': 'Urgent upgrade recommended for affected versions',
'data_breach': {'data_encryption': 'Vulnerable to padding oracle attack '
'(CVE-2026-29146)',
'personally_identifiable_information': 'Potential if '
'extracted via padding '
'oracle attack',
'sensitivity_of_data': 'High (if sensitive data is extracted)',
'type_of_data_compromised': 'Encrypted session data, '
'certificate-based authentication '
'data'},
'description': 'Apache Tomcat has released urgent security updates addressing '
'three critical vulnerabilities that could allow attackers to '
'bypass encryption protections or exploit flawed certificate '
'validation in enterprise web environments. The '
'vulnerabilities include CVE-2026-29146 (padding oracle attack '
'on EncryptInterceptor), CVE-2026-34486 (bypass of '
'EncryptInterceptor), and CVE-2026-34500 (flawed OCSP '
'certificate validation).',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'security flaws',
'data_compromised': 'Sensitive encrypted data (via padding oracle '
'attack)',
'identity_theft_risk': 'Potential if sensitive data is extracted',
'operational_impact': 'Potential unauthorized access to web '
'environments',
'payment_information_risk': 'Potential if payment data is '
'encrypted and exposed',
'systems_affected': 'Apache Tomcat servers'},
'lessons_learned': 'Risks of incomplete patches and need for rigorous '
'validation in web infrastructure security',
'post_incident_analysis': {'corrective_actions': 'Release of fixed versions '
'and validation of patches',
'root_causes': ['Incomplete patch for '
'CVE-2026-29146 leading to '
'CVE-2026-34486',
'Flawed OCSP certificate '
'validation in Foreign Function '
'and Memory API']},
'recommendations': 'Upgrade to fixed versions (Tomcat 11.0.21, 10.1.54, '
'9.0.117) immediately, especially if EncryptInterceptor or '
'certificate-based authentication is enabled',
'references': [{'source': 'Apache Tomcat Security Advisory'}],
'response': {'communication_strategy': 'Public disclosure and urging '
'administrators to upgrade',
'containment_measures': 'Patches released (Tomcat 11.0.21, '
'10.1.54, 9.0.117)',
'remediation_measures': 'Upgrade to fixed versions immediately'},
'title': 'Apache Tomcat Patches Critical Vulnerabilities Exposing Encryption '
'and Certificate Validation Flaws',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': ['CVE-2026-29146',
'CVE-2026-34486',
'CVE-2026-34500']}