Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Basic Information

ID CVE-2026-34486

Source apache

Published Apr 9, 2026 at 19:35

Modified Apr 10, 2026 at 20:20

Affected Product

Vendor Apache Software Foundation

Product Apache Tomcat

Version 11.0.20

Affected Versions Apache Software Foundation Apache Tomcat 11.0.20
Apache Software Foundation Apache Tomcat 10.1.53
Apache Software Foundation Apache Tomcat 9.0.116

CWE Classification

CWE-311

References

lists.apache.org /thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly

{
    "lastseen": "",
    "description": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.",
    "published": "2026-04-09T19:35:35.994Z",
    "modified": "2026-04-10T20:20:56.605Z",
    "type": "cve",
    "title": "Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor",
    "source": "apache",
    "references": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly",
    "id": "CVE-2026-34486",
    "bulletinFamily": "",
    "cwe": [
        "CWE-311"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Tomcat 11.0.20\nApache Software Foundation Apache Tomcat 10.1.53\nApache Software Foundation Apache Tomcat 9.0.116",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Tomcat",
    "version": "11.0.20",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor_CVE-2026-34486