What is the CVSS score of CVE-2026-34487?

CVE-2026-34487 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Kubernetes are affected by CVE-2026-34487?

Apache Tomcat's clustering component inadvertently logs Kubernetes authentication tokens in plaintext, creating a credential exposure vulnerability that could allow attackers with network access to…. A patch is available.

Kubernetes CVE-2026-34487

EUVD-2026-21057 HIGH

Insertion of Sensitive Information into Log File (CWE-532)

2026-04-09 apache

GHSA-x4m4-345f-5h5g

Apache Information Disclosure Kubernetes Red Hat Tomcat Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 20:15 euvd

EUVD-2026-21057

Analysis Generated

Apr 09, 2026 - 20:15 vuln.today

CVE Published

Apr 09, 2026 - 19:36 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

442 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (33 direct, 409 indirect)
20 maven packages depend on org.apache.tomcat:tomcat-catalina (8 direct, 12 indirect)

Ecosystem-wide dependent count for version 9.0.13 and other introduced versions.

DescriptionNVD

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

AnalysisAI

Apache Tomcat's cloud membership clustering component logs Kubernetes bearer tokens in plaintext, enabling unauthenticated remote attackers to extract authentication credentials from log files. Affects Tomcat 9.0.13-9.0.116, 10.1.0-M1-10.1.53, and 11.0.0-M1-11.0.20. …

RemediationAI

Within 24 hours: Inventory all Tomcat instances (versions 9.0.13-9.0.116, 10.1.0-M1-10.1.53, 11.0.0-M1-11.0.20) in Kubernetes environments and verify log file access controls. Within 7 days: Implement log filtering or masking to redact bearer tokens from Tomcat logs using log aggregation tooling (e.g., Fluentd, Logstash); rotate all Kubernetes service account tokens associated with Tomcat deployments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory