Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Basic Information

ID CVE-2026-29146

Source apache

Published Apr 9, 2026 at 19:21

Modified Apr 10, 2026 at 18:17

Affected Product

Vendor Apache Software Foundation

Product Apache Tomcat

Version 11.0.0-M1

Affected Versions Apache Software Foundation Apache Tomcat 11.0.0-M1
Apache Software Foundation Apache Tomcat 10.0.0-M1
Apache Software Foundation Apache Tomcat 9.0.13
Apache Software Foundation Apache Tomcat 8.5.38
Apache Software Foundation Apache Tomcat 7.0.100

CWE Classification

CWE-209 CWE-642

References

lists.apache.org /thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w

{
    "lastseen": "",
    "description": "Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.",
    "published": "2026-04-09T19:21:57.289Z",
    "modified": "2026-04-10T18:17:59.908Z",
    "type": "cve",
    "title": "Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default",
    "source": "apache",
    "references": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w",
    "id": "CVE-2026-29146",
    "bulletinFamily": "",
    "cwe": [
        "CWE-209",
        "CWE-642"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Tomcat 11.0.0-M1\nApache Software Foundation Apache Tomcat 10.0.0-M1\nApache Software Foundation Apache Tomcat 9.0.13\nApache Software Foundation Apache Tomcat 8.5.38\nApache Software Foundation Apache Tomcat 7.0.100",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Tomcat",
    "version": "11.0.0-M1",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default_CVE-2026-29146