High severity7.5NVD Advisory· Published Apr 9, 2026· Updated May 26, 2026
CVE-2026-34486
CVE-2026-34486
Description
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-tribesMaven | >= 11.0.20, < 11.0.21 | 11.0.21 |
org.apache.tomcat:tomcat-tribesMaven | >= 10.1.53, < 10.1.54 | 10.1.54 |
org.apache.tomcat:tomcat-tribesMaven | >= 9.0.116, < 9.0.117 | 9.0.117 |
org.apache.tomcat:tomcatMaven | >= 11.0.20, < 11.0.21 | 11.0.21 |
org.apache.tomcat:tomcatMaven | >= 10.1.53, < 10.1.54 | 10.1.54 |
org.apache.tomcat:tomcatMaven | >= 9.0.116, < 9.0.117 | 9.0.117 |
Affected products
36- osv-coords33 versionspkg:apk/chainguard/ontop-fipspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcatpkg:maven/org.apache.tomcat/tomcat-tribespkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat11&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5
< 5.5.0-r4+ 32 more
- (no CPE)range: < 5.5.0-r4
- (no CPE)range: >= 9.0.116, < 9.0.117
- (no CPE)range: >= 11.0.20, < 11.0.21
- (no CPE)range: >= 11.0.20, < 11.0.21
- (no CPE)range: < 10.1.54-160000.1.1
- (no CPE)range: < 10.1.54-1.1
- (no CPE)range: < 11.0.21-160000.1.1
- (no CPE)range: < 11.0.21-1.1
- (no CPE)range: < 9.0.117-160000.1.1
- (no CPE)range: < 9.0.117-1.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 10.1.54-150200.5.64.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 11.0.21-150600.13.18.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-3.163.2
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-150200.105.1
- (no CPE)range: < 9.0.117-3.163.2
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-69r9-qgr7-g2wjghsaADVISORY
- lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrlynvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34486ghsaADVISORY
- github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccdghsaWEB
- github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1ghsaWEB
- github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2026-34486ghsaWEB
- www.vicarius.io/vsociety/posts/cve-2026-34486-detection-script-rce-on-apache-tomcatnvdWEB
- www.vicarius.io/vsociety/posts/cve-2026-34486-mitigation-script-rce-on-apache-tomcatnvdWEB
News mentions
0No linked articles in our index yet.