CVE-2026-29129

HIGH

Apache Tomcat: TLS cipher order is not preserved

Title source: cna

Description

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/22

[Vendor Advisory] https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f

Scores

CVSS v3 7.5

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-327

Status published

Products (7)

apache/tomcat 9.0.114 - 9.0.116

Apache Software Foundation/Apache Tomcat 10.1.51 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.16 - 11.0.18

Apache Software Foundation/Apache Tomcat 9.0.114 - 9.0.115

org.apache.tomcat/tomcat 9.0.114 - 9.0.116Maven

org.apache.tomcat/tomcat-catalina 9.0.114 - 9.0.116Maven

org.apache.tomcat.embed/tomcat-embed-core 9.0.114 - 9.0.116Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026