← back
CVE-2026-34486

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

CVSS 7.5 HIGHEPSS 15.4%CWE-311
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Apache Software Foundation · Apache Tomcat
public PoCs found2
githubgithub.com/striga-ai/CVE-2026-3448668githubgithub.com/anonmrc/CVE-2026-34486-e-Tomcat-Tribes0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrlyhttps://www.vicarius.io/vsociety/posts/cve-2026-34486-detection-script-rce-on-apache-tomcathttps://www.vicarius.io/vsociety/posts/cve-2026-34486-mitigation-script-rce-on-apache-tomcat