High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026

CVE-2026-34486

Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcat-tribesMaven	>= 11.0.20, < 11.0.21	11.0.21
org.apache.tomcat:tomcat-tribesMaven	>= 10.1.53, < 10.1.54	10.1.54
org.apache.tomcat:tomcat-tribesMaven	>= 9.0.116, < 9.0.117	9.0.117
org.apache.tomcat:tomcatMaven	>= 11.0.20, < 11.0.21	11.0.21
org.apache.tomcat:tomcatMaven	>= 10.1.53, < 10.1.54	10.1.54
org.apache.tomcat:tomcatMaven	>= 9.0.116, < 9.0.117	9.0.117

Affected products

Apache/Tomcat3 versions
cpe:2.3:a:apache:tomcat:10.1.53:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:apache:tomcat:10.1.53:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.116:*:*:*:*:*:*:*

Patches

1fab40ccc752

Better error handling - partial revert of 6d955cc

https://github.com/apache/tomcatMark ThomasMar 30, 2026via ghsa

commit

2 files changed · +4 −1

java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java+1 −1 modified

@@ -140,10 +140,10 @@ public void messageReceived(ChannelMessage msg) {
             xbb.clear();
             xbb.append(data, 0, data.length);
 
+            super.messageReceived(msg);
         } catch (GeneralSecurityException gse) {
             log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
         }
-        super.messageReceived(msg);
     }
 
     /**

webapps/docs/changelog.xml+3 −0 modified

@@ -142,6 +142,9 @@
         Reduce log verbosity of the Kubernetes connection attempts and failure.
         (remm)
       </fix>
+      <fix>
+        Better error handling for the <code>EncryptInterceptor</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

776e12b3e2b0

Better error handling - partial revert of 607ebc0

https://github.com/apache/tomcatMark ThomasMar 30, 2026via ghsa

commit

2 files changed · +4 −1

java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java+1 −1 modified

@@ -139,10 +139,10 @@ public void messageReceived(ChannelMessage msg) {
             xbb.clear();
             xbb.append(data, 0, data.length);
 
+            super.messageReceived(msg);
         } catch (GeneralSecurityException gse) {
             log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
         }
-        super.messageReceived(msg);
     }
 
     /**

webapps/docs/changelog.xml+3 −0 modified

@@ -146,6 +146,9 @@
         Reduce log verbosity of the Kubernetes connection attempts and failure.
         (remm)
       </fix>
+      <fix>
+        Better error handling for the <code>EncryptInterceptor</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

55f3eb914823

Better error handling - partial revert of 607ebc0

https://github.com/apache/tomcatMark ThomasMar 30, 2026via ghsa

commit

2 files changed · +4 −1

java/org/apache/catalina/tribes/group/interceptors/EncryptInterceptor.java+1 −1 modified

@@ -139,10 +139,10 @@ public void messageReceived(ChannelMessage msg) {
             xbb.clear();
             xbb.append(data, 0, data.length);
 
+            super.messageReceived(msg);
         } catch (GeneralSecurityException gse) {
             log.error(sm.getString("encryptInterceptor.decrypt.failed"), gse);
         }
-        super.messageReceived(msg);
     }
 
     /**

webapps/docs/changelog.xml+3 −0 modified

@@ -146,6 +146,9 @@
         Reduce log verbosity of the Kubernetes connection attempts and failure.
         (remm)
       </fix>
+      <fix>
+        Better error handling for the <code>EncryptInterceptor</code>. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-69r9-qgr7-g2wjghsaADVISORY
lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrlynvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-34486ghsaADVISORY
github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccdghsaWEB
github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1ghsaWEB
github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418ghsaWEB
tomcat.apache.org/security-10.htmlghsaWEB
tomcat.apache.org/security-11.htmlghsaWEB
tomcat.apache.org/security-9.htmlghsaWEB
www.herodevs.com/vulnerability-directory/cve-2026-34486ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000