CVE-2026-29146

HIGH

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Title source: cna

Description

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/24

[Vendor Advisory] https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w

Scores

CVSS v3 7.5

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-209 CWE-642

Status published

Products (10)

apache/tomcat 7.0.100 - 7.0.109

Apache Software Foundation/Apache Tomcat 10.0.0-M1 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.18

Apache Software Foundation/Apache Tomcat 7.0.100 - 7.0.109

Apache Software Foundation/Apache Tomcat 8.5.38 - 8.5.100

Apache Software Foundation/Apache Tomcat 9.0.13 - 9.0.115

org.apache.tomcat/tomcat 9.0.13 - 9.0.116Maven

org.apache.tomcat/tomcat-catalina 9.0.13 - 9.0.116Maven

org.apache.tomcat/tomcat-tribes 9.0.13 - 9.0.116Maven

org.apache.tomcat.embed/tomcat-embed-core 9.0.13 - 9.0.116Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026