High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026
CVE-2026-29146
CVE-2026-29146
Description
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-tribesMaven | >= 9.0.13, < 9.0.116 | 9.0.116 |
org.apache.tomcat:tomcat-tribesMaven | >= 10.1.50, < 10.1.53 | 10.1.53 |
org.apache.tomcat:tomcat-tribesMaven | >= 11.0.0-M1, < 11.0.20 | 11.0.20 |
org.apache.tomcat:tomcatMaven | >= 9.0.13, < 9.0.116 | 9.0.116 |
org.apache.tomcat:tomcatMaven | >= 10.1.50, < 10.1.53 | 10.1.53 |
org.apache.tomcat:tomcatMaven | >= 11.0.0-M1, < 11.0.20 | 11.0.20 |
org.apache.tomcat:tomcat-tribesMaven | >= 8.5.38, <= 8.5.100 | — |
org.apache.tomcat:tomcatMaven | >= 8.5.38, <= 8.5.100 | — |
org.apache.tomcat:tomcat-tribesMaven | >= 7.0.100, <= 7.0.109 | — |
org.apache.tomcat:tomcatMaven | >= 7.0.100, <= 7.0.109 | — |
Affected products
55- osv-coords54 versionspkg:apk/chainguard/camunda-8.8pkg:apk/chainguard/camunda-zeebe-8.6pkg:apk/chainguard/camunda-zeebe-8.7pkg:apk/chainguard/camunda-zeebe-8.8pkg:apk/chainguard/kayenta-2025.0pkg:apk/chainguard/kayenta-2025.1pkg:apk/chainguard/kayenta-2025.2pkg:apk/chainguard/kayenta-2025.4pkg:apk/chainguard/kayenta-2026.0pkg:apk/chainguard/kayenta-fips-2025.0pkg:apk/chainguard/kayenta-fips-2025.1pkg:apk/chainguard/kayenta-fips-2025.2pkg:apk/chainguard/kayenta-fips-2025.4pkg:apk/chainguard/kayenta-fips-2026.0pkg:apk/chainguard/nacospkg:apk/chainguard/nacos-dockerpkg:apk/chainguard/ontoppkg:apk/chainguard/ontop-fipspkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcatpkg:maven/org.apache.tomcat/tomcat-tribespkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat11&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 8.8.22-r0+ 53 more
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 8.6.39-r0
- (no CPE)range: < 8.7.27-r0
- (no CPE)range: < 8.8.22-r0
- (no CPE)range: < 2025.0.8-r10
- (no CPE)range: < 2025.1.6-r8
- (no CPE)range: < 2025.2.4-r4
- (no CPE)range: < 2025.4.3-r5
- (no CPE)range: < 2026.0.2-r5
- (no CPE)range: < 2025.0.8-r12
- (no CPE)range: < 2025.1.6-r9
- (no CPE)range: < 2025.2.4-r5
- (no CPE)range: < 2025.4.3-r6
- (no CPE)range: < 2026.0.2-r6
- (no CPE)range: < 3.2.0-r6
- (no CPE)range: < 3.2.0-r2
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 5.5.0-r4
- (no CPE)range: < 4.3.1.1-r2
- (no CPE)range: < 4.3.1.1-r2
- (no CPE)range: < 4.3.1.1-r2
- (no CPE)range: < 4.3.1.1-r2
- (no CPE)range: >= 7.0.100, < 9.0.116
- (no CPE)range: >= 9.0.13, < 9.0.116
- (no CPE)range: >= 9.0.13, < 9.0.116
- (no CPE)range: < 10.1.54-160000.1.1
- (no CPE)range: < 10.1.54-1.1
- (no CPE)range: < 11.0.21-160000.1.1
- (no CPE)range: < 11.0.21-1.1
- (no CPE)range: < 9.0.117-160000.1.1
- (no CPE)range: < 9.0.117-1.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-3.163.2
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-3.163.2
Patches
Vulnerability mechanics
References
11- www.openwall.com/lists/oss-security/2026/04/09/24nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-h468-7pvh-8vr8ghsaADVISORY
- lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0wnvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-29146ghsaADVISORY
- github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1ghsaWEB
- github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659cghsaWEB
- github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaaghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2026-29146ghsaWEB
News mentions
1- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026