{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34486", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-30T07:57:49.315Z", "datePublished": "2026-04-09T19:35:35.994Z", "dateUpdated": "2026-04-10T20:20:56.605Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "11.0.20", "versionType": "semver"}, {"status": "affected", "version": "10.1.53", "versionType": "semver"}, {"status": "affected", "version": "9.0.116", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk at striga.ai"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the&nbsp;fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.</p><p>This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.</p>"}], "value": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:35:35.994Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T20:20:09.561886Z", "id": "CVE-2026-34486", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:20:56.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34486", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T20:20:09.561886Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T20:20:27.094Z"}}], "cna": {"title": "Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk at striga.ai"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.20", "versionType": "semver"}, {"status": "affected", "version": "10.1.53", "versionType": "semver"}, {"status": "affected", "version": "9.0.116", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the&nbsp;fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.</p><p>This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311 Missing Encryption of Sensitive Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:35:35.994Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34486", "state": "PUBLISHED", "dateUpdated": "2026-04-10T20:20:56.605Z", "dateReserved": "2026-03-30T07:57:49.315Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:35:35.994Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:9.0.116:*:*:*:*:*:*:*", "matchCriteriaId": "CC160F23-A9D6-42DA-92E6-886B1B1F48A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:10.1.53:*:*:*:*:*:*:*", "matchCriteriaId": "0E7A0CE9-EBDF-4305-9C06-E7D4521AF422", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.20:*:*:*:*:*:*:*", "matchCriteriaId": "64BAAE4D-2355-43D8-83E5-01CA71D5DC0B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."}], "id": "CVE-2026-34486", "lastModified": "2026-04-14T12:45:40.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:25.063", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass", "id": "2457027", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457027"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-807", "details": ["A flaw was found in Apache Tomcat. This vulnerability, categorized as Missing Encryption of Sensitive Data, arises from a bypass in the EncryptInterceptor, a component designed to ensure data encryption. This bypass, introduced as a fix for CVE-2026-29146, allows sensitive data to remain unencrypted, potentially leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-34486", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:35:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34486\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34486\nhttps://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly"], "statement": "This is an Important flaw in Apache Tomcat where a bypass in the EncryptInterceptor allows sensitive data to remain unencrypted. This could lead to information disclosure in Red Hat Enterprise Linux and Red Hat JBoss Web Server environments utilizing affected versions of Apache Tomcat.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "11.0.20"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "10.1.53"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "9.0.116"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T15:05:23.826154+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 to eliminate the encryption bypass flaw."], "summary": {"action": "Patch Now", "impact": "Confidentiality compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Apache Tomcat versions 11.0.20, 10.1.53, and 9.0.116. Users running these releases are advised to upgrade to the next minor releases\u201411.0.21 for version 11.x, 10.1.54 for 10.x, and 9.0.117 for 9.x\u2014as these patches resolve the encryption bypass.", "description_and_impact": "An upgrade that intended to close a prior issue introduced a flaw where the EncryptInterceptor in Apache Tomcat is bypassed, leaving sensitive data unencrypted. This missing encryption can allow an attacker to read data that should otherwise be protected, making it a confidentiality risk. The flaw is classified as CWE\u2011311, Missing Encryption of Sensitive Data, and involves resource handling weaknesses per CWE\u2011807.", "risk_and_exploitability": "The issue carries a CVSS score of 7.5, indicating a high severity, while the EPSS score is less than 1 percent, implying a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, likely over HTTP or HTTPS connections, since the vulnerability arises during request handling and could be triggered by crafted requests."}}}}, "created": "2026-04-10T08:38:48.694347+00:00", "updated": "2026-04-14T16:36:48.087124+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}