← back
CVE-2026-34487

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

CVSS 7.5 HIGHEPSS 0.4%CWE-532
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
09 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Apache Software Foundation · Apache Tomcat

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850hhttp://www.openwall.com/lists/oss-security/2026/04/09/28