{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29129", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-04T08:16:56.456Z", "datePublished": "2026-04-09T19:19:40.645Z", "dateUpdated": "2026-04-10T18:06:45.771Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.18", "status": "affected", "version": "11.0.16", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.51", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.114", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Configured cipher preference order not preserved vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>"}], "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "Configured cipher preference order not preserved", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:19:40.645Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: TLS cipher order is not preserved", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:48.414Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-327", "lang": "en", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:05:39.544150Z", "id": "CVE-2026-29129", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:06:45.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:48.414Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:05:39.544150Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-327", "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:04:38.385Z"}}], "cna": {"title": "Apache Tomcat: TLS cipher order is not preserved", "source": {"discovery": "EXTERNAL"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.16", "versionType": "semver", "lessThanOrEqual": "11.0.18"}, {"status": "affected", "version": "10.1.51", "versionType": "semver", "lessThanOrEqual": "10.1.52"}, {"status": "affected", "version": "9.0.114", "versionType": "semver", "lessThanOrEqual": "9.0.115"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Configured cipher preference order not preserved vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Configured cipher preference order not preserved"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:19:40.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29129", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:06:45.771Z", "dateReserved": "2026-03-04T08:16:56.456Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:19:40.645Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "D1095386-8BA2-47E5-BD8D-F5E9A0A80D88", "versionEndExcluding": "9.0.116", "versionStartIncluding": "9.0.114", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "69F68887-B315-49A2-94D5-7A9ED489BE58", "versionEndExcluding": "10.1.53", "versionStartIncluding": "10.1.51", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB642368-D598-4F14-88F8-D55CE2C97657", "versionEndExcluding": "11.0.20", "versionStartIncluding": "11.0.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "id": "CVE-2026-29129", "lastModified": "2026-04-14T14:00:19.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:24.343", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved", "id": "2457031", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457031"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-15", "details": ["A flaw was found in Apache Tomcat. This vulnerability occurs when the configured cipher preference order is not preserved. This could allow an attacker to bypass intended security configurations, potentially leading to a weakened security posture or information disclosure."], "mitigation": {"lang": "en:us", "value": "Configure Apache Tomcat to explicitly allow only strong cipher suites. This ensures that even if the preference order is not strictly honored, only secure ciphers are utilized for TLS connections.\nEdit the `server.xml` file, typically located at `/etc/tomcat/server.xml` or `/opt/tomcat/conf/server.xml`, and modify the `<Connector>` element to include a `ciphers` attribute listing only approved strong cipher suites. For example:\n`<Connector port=\"8443\" protocol=\"org.apache.coyote.http11.Http11NioProtocol\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\" clientAuth=\"false\" sslProtocol=\"TLSv1.2+TLSv1.3\" ciphers=\"TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256\"/>`\nReplace the example cipher list with a comprehensive set of strong ciphers appropriate for your environment. This may impact compatibility with older clients that do not support the specified strong cipher suites.\nA restart of the Apache Tomcat service is required for the changes to take effect. Use the command `systemctl restart tomcat` or `systemctl restart tomcat9` depending on your installed package."}, "name": "CVE-2026-29129", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:19:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29129\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29129\nhttps://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"], "statement": "Low impact. A flaw in Apache Tomcat allows the configured cipher preference order to be bypassed. This could lead to a server using a weaker cipher than intended, potentially reducing the security posture of TLS connections. This affects Red Hat Enterprise Linux systems running Apache Tomcat.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.16,11.0.18]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.51,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.114,9.0.115]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T15:37:02.084872+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to the latest patched versions (11.0.20, 10.1.53, or 9.0.116).", "Verify the server's TLS configuration to enforce the desired cipher order and disable weak cipher suites."], "summary": {"action": "Immediate Patch", "impact": "Potential downgrade attacks using weaker cipher suites"}, "threat_synthesis": {"affected_systems": "Affected versions are Apache Tomcat 11.0.16 through 11.0.18, 10.1.51 through 10.1.52, and 9.0.114 through 9.0.115. The vulnerability has been fixed in Tomcat 11.0.20, 10.1.53, and 9.0.116. Administrators should confirm that their deployments run one of the patched releases to eliminate the issue.", "description_and_impact": "Apache Tomcat fails to preserve the configured cipher preference order during TLS handshakes, enabling an attacker to force the server to negotiate weaker cipher suites or to downgrade the encryption level. This flaw, rooted in environmental configuration interference (CWE\u201115) and improper use of security primitives (CWE\u2011327), can expose communication to less secure encryption, potentially permitting man\u2011in\u2011the\u2011middle attacks and weakening confidentiality and integrity of data in transit.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high impact vulnerability that does not require elevated privileges and can be triggered remotely during a TLS session. The EPSS score is below 1\u202f%, suggesting low current exploitation likelihood, and the issue is not yet listed in CISA\u2019s KEV catalog. An attacker who can influence a client\u2013server handshake may exploit the ordering flaw to force a weaker cipher or to downgrade the protocol, which could facilitate passive or active eavesdropping."}}}}, "created": "2026-04-10T08:38:57.484753+00:00", "updated": "2026-04-14T16:36:53.632510+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}