On 4th April 2026, Apache Tomcat addressed three distinct vulnerabilities affecting major versions (9.0, 10.1, and 11.0). These range from Moderate to Important in severity and primarily impact authentication and encryption mechanisms.
Severity: High
Vulnerability Details
The three CVEs form a sequential chain — CVE-2026-29146 → incomplete fix → CVE-2026-34486. Any org tracking only the first CVE may believe they are remediated when they are not.
Two of the three vulnerabilities affect cryptographic integrity (EncryptInterceptor) and one affects mTLS authentication (OCSP/CLIENT_CERT). Both are relevant to high-trust, encrypted inter-node or client-facing communication scenarios.
1. CVE-2026-29146: EncryptInterceptor Padding Oracle Attack
| Severity: | Important |
| Component: | EncryptInterceptor (CBC mode default) |
| Vulnerability Type: | Padding Oracle Attack |
| Root Cause: | CBC encryption used by default, which is inherently susceptible to padding oracle exploitation |
| Affected Versions: | Tomcat 11.0.0-M1–11.0.18, 10.1.0-M1–10.1.52, 9.0.13–9.0.115 (+ older EOS versions) |
| Fix Versions: | 11.0.20+, 10.1.53+, 9.0.116+ |
This is the root vulnerability in a chain. CBC-mode padding oracle attacks allow an adversary to decrypt ciphertext without the key by observing how the server responds to malformed padding, a well-understood class of cryptographic weakness.
2. CVE-2026-34486: EncryptInterceptor Bypass (Incomplete Fix)
| Severity: | Important |
| Component: | EncryptInterceptor |
| Vulnerability Type: | Security Control Bypass |
| Root Cause: | The patch for CVE-2026-29146 introduced a logic error that allowed EncryptInterceptor to be completely bypassed |
| Affected Versions: | Tomcat 11.0.20, 10.1.53, 9.0.116 (i.e., the versions that patched CVE-2026-29146) |
| Fix Versions: | 11.0.21+, 10.1.54+, 9.0.117+ |
This is a patch bypass, a high-signal finding. Organizations that urgently upgraded to fix CVE-2026-29146 were immediately re-exposed via the bypass in the very fix versions. This creates a narrow but dangerous window for any deployment pinned to 11.0.20, 10.1.53, or 9.0.116.
3. CVE-2026-34500: OCSP Soft-Fail Bypass with FFM
| Severity: | Moderate |
| Component: | CLIENT_CERT authentication / OCSP validation (FFM path) |
| Vulnerability Type: | Authentication Control Bypass |
| Root Cause: | OCSP certificate revocation checks silently soft-failed even when soft-fail was explicitly disabled, under the Foreign Function & Memory (FFM) API code path |
| Affected Versions: | Tomcat 11.0.0-M14–11.0.20, 10.1.22–10.1.53, 9.0.92–9.0.116 |
| Fix Versions: | 11.0.21+, 10.1.54+, 9.0.117+ |
When OCSP soft-fail is disabled, the intent is to reject connections with unverifiable certificate revocation status. A soft-fail bypass under FFM means revoked client certificates could be accepted, undermining mutual TLS trust entirely.
Recommendation
1. Immediately upgrade all affected Apache Tomcat instances to the latest secure versions—11.0.21+, 10.1.54+, or 9.0.117+.
Source:
- https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
- https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
- https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
- https://tomcat.apache.org/security.html
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.