CVE-2026-34486

HIGH LAB

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Title source: cna

Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Exploits (4)

nomisec WORKING POC 1 stars

by AirSkye · poc

https://github.com/AirSkye/CVE-2026-34486-poc

View Code ZIP pw:eip

nomisec SCANNER

by helGayhub233 · poc

https://github.com/helGayhub233/CVE-2026-34486-Tribes

View Code ZIP pw:eip

nomisec WORKING POC

by 404-src · poc

https://github.com/404-src/CVE-2026-34486

View Code ZIP pw:eip

nomisec WORKING POC

by punitdarji · poc

https://github.com/punitdarji/tomcat-cve-2026-34486

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:9.0.116-jdk8

https://github.com/punitdarji/tomcat-cve-2026-34486

https://github.com/AirSkye/CVE-2026-34486-poc

https://github.com/404-src/CVE-2026-34486

+1 more repos

View in Library

Details

CWE

CWE-311

Status published

Products (10)

apache/tomcat 9.0.116

apache/tomcat 10.1.53

apache/tomcat 11.0.20

Apache Software Foundation/Apache Tomcat 10.1.53

Apache Software Foundation/Apache Tomcat 11.0.20

Apache Software Foundation/Apache Tomcat 9.0.116

org.apache.tomcat/tomcat 11.0.20 - 11.0.21Maven

org.apache.tomcat/tomcat-catalina 11.0.20 - 11.0.21Maven

org.apache.tomcat/tomcat-tribes 11.0.20 - 11.0.21Maven

org.apache.tomcat.embed/tomcat-embed-core 11.0.20 - 11.0.21Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026