Vulnerability-Lookup

WID-SEC-W-2026-1038

Vulnerability from csaf_certbund - Published: 2026-04-09 22:00 - Updated: 2026-06-08 22:00

Summary

Apache Tomcat und Tomcat Native: Mehrere Schwachstellen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Apache Tomcat ist ein Web-Applikationsserver für verschiedene Plattformen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen, Open-Redirect-Angriffe durchzuführen und andere, nicht näher spezifizierte Angriffe auszuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-24880

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-25854

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-29129

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-29145

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-29146

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-32990

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-34483

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-34486

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-34487

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

CVE-2026-34500

Affected products

Known affected 17 products

Product	Identifier	Version
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Apache Tomcat <11.0.19 Apache / Tomcat		<11.0.19
Apache Tomcat Native <1.3.7 Apache / Tomcat		Native <1.3.7
Apache Tomcat Native <2.0.14 Apache / Tomcat		Native <2.0.14
Red Hat JBoss Web Server <6.2.3 Red Hat / JBoss Web Server		<6.2.3
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Apache Tomcat <9.0.116 Apache / Tomcat		<9.0.116
Apache Tomcat <9.0.117 Apache / Tomcat		<9.0.117
Apache Tomcat <10.1.53 Apache / Tomcat		<10.1.53
Apache Tomcat <11.0.20 Apache / Tomcat		<11.0.20
Apache Tomcat <11.0.21 Apache / Tomcat		<11.0.21
HCL Commerce 9.1.0-9.1.19.0 HCL / Commerce	`cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0`	9.1.0-9.1.19.0
Apache Tomcat <10.1.52 Apache / Tomcat		<10.1.52
Apache Tomcat <10.1.54 Apache / Tomcat		<10.1.54
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—
Amazon Linux 2 Amazon	`cpe:/o:amazon:linux_2:-`	—

References

27 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://tomcat.apache.org/security-9.html	external
https://tomcat.apache.org/security-10.html	external
https://tomcat.apache.org/security-11.html	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.opensuse.org/archives/list/security…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://alas.aws.amazon.com/AL2/ALAS2TOMCAT9-2026…	external
https://access.redhat.com/errata/RHSA-2026:12195	external
https://access.redhat.com/errata/RHSA-2026:12194	external
https://support.hcl-software.com/community?id=com…	external
https://access.redhat.com/errata/RHSA-2026:20405	external
https://access.redhat.com/errata/RHSA-2026:20406	external
https://github.com/striga-ai/CVE-2026-34486	external
https://lists.debian.org/debian-lts-announce/2026…	external
https://security-tracker.debian.org/tracker/DSA-6328-1	external
https://security-tracker.debian.org/tracker/DSA-6329-1	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Tomcat ist ein Web-Applikationsserver f\u00fcr verschiedene Plattformen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache Tomcat ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen, Open-Redirect-Angriffe durchzuf\u00fchren und andere, nicht n\u00e4her spezifizierte Angriffe auszuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1038 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1038.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1038 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1038"
      },
      {
        "category": "external",
        "summary": "Apache Tomcat 9 vulnerabilities vom 2026-04-09",
        "url": "https://tomcat.apache.org/security-9.html"
      },
      {
        "category": "external",
        "summary": "Apache Tomcat 10 vulnerabilities vom 2026-04-09",
        "url": "https://tomcat.apache.org/security-10.html"
      },
      {
        "category": "external",
        "summary": "Apache Tomcat 11 vulnerabilities vom 2026-04-09",
        "url": "https://tomcat.apache.org/security-11.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10548-1 vom 2026-04-15",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QNEDM6RBHQEARIDUITXLNEYREGQXXWW5/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10549-1 vom 2026-04-15",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MEFQXVLFFJSJMLHOKAARZ4TAVX5QBSU5/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:10547-1 vom 2026-04-15",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ENRWN4ZNTHX5V7VJZHUZGDSHXMJHD2Y/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1558-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025569.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20612-1 vom 2026-04-23",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6JYOECIHMTZAXAOESLTCB5WLXF2FKMPT/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2026:20611-1 vom 2026-04-23",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M5H5Q3AIANVMCJDNLDOJKP7ZEVFCMTAL/"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1572-1 vom 2026-04-23",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025601.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1603-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025617.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:1604-1 vom 2026-04-24",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025616.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21378-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025729.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21379-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025728.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2026:21366-1 vom 2026-04-28",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-April/025739.html"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALAS2TOMCAT9-2026-025 vom 2026-04-30",
        "url": "https://alas.aws.amazon.com/AL2/ALAS2TOMCAT9-2026-025.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:12195 vom 2026-04-30",
        "url": "https://access.redhat.com/errata/RHSA-2026:12195"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:12194 vom 2026-04-30",
        "url": "https://access.redhat.com/errata/RHSA-2026:12194"
      },
      {
        "category": "external",
        "summary": "HCL Security Bulletin vom 2026-05-12",
        "url": "https://support.hcl-software.com/community?id=community_blog\u0026sys_id=2f600efd2bf4c7900c64f1a1d891bf19"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20405 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20405"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2026:20406 vom 2026-05-26",
        "url": "https://access.redhat.com/errata/RHSA-2026:20406"
      },
      {
        "category": "external",
        "summary": "PoC CVE-2026-34486 vom 2026-05-28",
        "url": "https://github.com/striga-ai/CVE-2026-34486"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4619 vom 2026-06-07",
        "url": "https://lists.debian.org/debian-lts-announce/2026/06/msg00008.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6328 vom 2026-06-08",
        "url": "https://security-tracker.debian.org/tracker/DSA-6328-1"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-6329 vom 2026-06-08",
        "url": "https://security-tracker.debian.org/tracker/DSA-6329-1"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Tomcat und Tomcat Native: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-08T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-09T09:01:47.747+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1038",
      "initial_release_date": "2026-04-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-04-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-04-15T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2026-04-22T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-23T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-26T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-28T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2026-04-29T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2026-05-03T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-12T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2026-05-26T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2026-05-28T22:00:00.000+00:00",
          "number": "11",
          "summary": "PoC f\u00fcr CVE-2026-34486 aufgenommen"
        },
        {
          "date": "2026-06-07T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2026-06-08T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c11.0.20",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.20",
                  "product_id": "T052614"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.20",
                "product": {
                  "name": "Apache Tomcat 11.0.20",
                  "product_id": "T052614-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.20"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.52",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.52",
                  "product_id": "T052615"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.52",
                "product": {
                  "name": "Apache Tomcat 10.1.52",
                  "product_id": "T052615-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.52"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.116",
                "product": {
                  "name": "Apache Tomcat \u003c9.0.116",
                  "product_id": "T052616"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.116",
                "product": {
                  "name": "Apache Tomcat 9.0.116",
                  "product_id": "T052616-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:9.0.116"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.53",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.53",
                  "product_id": "T052617"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.53",
                "product": {
                  "name": "Apache Tomcat 10.1.53",
                  "product_id": "T052617-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.53"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Native \u003c1.3.7",
                "product": {
                  "name": "Apache Tomcat Native \u003c1.3.7",
                  "product_id": "T052618"
                }
              },
              {
                "category": "product_version",
                "name": "Native 1.3.7",
                "product": {
                  "name": "Apache Tomcat Native 1.3.7",
                  "product_id": "T052618-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:native__1.3.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Native \u003c2.0.14",
                "product": {
                  "name": "Apache Tomcat Native \u003c2.0.14",
                  "product_id": "T052619"
                }
              },
              {
                "category": "product_version",
                "name": "Native 2.0.14",
                "product": {
                  "name": "Apache Tomcat Native 2.0.14",
                  "product_id": "T052619-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:native__2.0.14"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.19",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.19",
                  "product_id": "T052624"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.19",
                "product": {
                  "name": "Apache Tomcat 11.0.19",
                  "product_id": "T052624-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.19"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c11.0.21",
                "product": {
                  "name": "Apache Tomcat \u003c11.0.21",
                  "product_id": "T052625"
                }
              },
              {
                "category": "product_version",
                "name": "11.0.21",
                "product": {
                  "name": "Apache Tomcat 11.0.21",
                  "product_id": "T052625-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:11.0.21"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c10.1.54",
                "product": {
                  "name": "Apache Tomcat \u003c10.1.54",
                  "product_id": "T052626"
                }
              },
              {
                "category": "product_version",
                "name": "10.1.54",
                "product": {
                  "name": "Apache Tomcat 10.1.54",
                  "product_id": "T052626-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:10.1.54"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c9.0.117",
                "product": {
                  "name": "Apache Tomcat \u003c9.0.117",
                  "product_id": "T052627"
                }
              },
              {
                "category": "product_version",
                "name": "9.0.117",
                "product": {
                  "name": "Apache Tomcat 9.0.117",
                  "product_id": "T052627-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:tomcat:9.0.117"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "9.1.0-9.1.19.0",
                "product": {
                  "name": "HCL Commerce 9.1.0-9.1.19.0",
                  "product_id": "T053858",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltechsw:commerce:9.1.0_-_9.1.19.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Commerce"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.2.3",
                "product": {
                  "name": "Red Hat JBoss Web Server \u003c6.2.3",
                  "product_id": "T054708"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.3",
                "product": {
                  "name": "Red Hat JBoss Web Server 6.2.3",
                  "product_id": "T054708-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.2.3"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Web Server"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-24880",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-24880"
    },
    {
      "cve": "CVE-2026-25854",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-25854"
    },
    {
      "cve": "CVE-2026-29129",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-29129"
    },
    {
      "cve": "CVE-2026-29145",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-29145"
    },
    {
      "cve": "CVE-2026-29146",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-29146"
    },
    {
      "cve": "CVE-2026-32990",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-32990"
    },
    {
      "cve": "CVE-2026-34483",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-34483"
    },
    {
      "cve": "CVE-2026-34486",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-34486"
    },
    {
      "cve": "CVE-2026-34487",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-34487"
    },
    {
      "cve": "CVE-2026-34500",
      "product_status": {
        "known_affected": [
          "67646",
          "T052624",
          "T052618",
          "T052619",
          "T054708",
          "2951",
          "T002207",
          "T052616",
          "T052627",
          "T052617",
          "T052614",
          "T052625",
          "T053858",
          "T052615",
          "T052626",
          "T027843",
          "398363"
        ]
      },
      "release_date": "2026-04-09T22:00:00.000+00:00",
      "title": "CVE-2026-34500"
    }
  ]
}

CVE-2026-24880 (GCVE-0-2026-24880)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:12 – Updated: 2026-04-10 18:33

Title

Apache Tomcat: Request smuggling via invalid chunk extension

Summary

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/2c682qnlg2tv4o5kn…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.1.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.0.M1 , ≤ 9.0.115 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Affected: 7.0.0 , ≤ 7.0.109 (semver) Unknown: 0 , < 7.0.0 (semver) Unknown: 8.0.0-RC1 , ≤ 8.0.53 (semver)

Credits

Xclow3n

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:44.782Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/20"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-24880",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:33:19.886460Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:33:49.308Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "7.0.0",
              "status": "unknown",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.0.53",
              "status": "unknown",
              "version": "8.0.0-RC1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Xclow3n"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u003cbr\u003eOther, unsupported versions may also be affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027) vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:12:10.730Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2c682qnlg2tv4o5knlggqbl9yc2gb5sn"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Request smuggling via invalid chunk extension",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-24880",
    "datePublished": "2026-04-09T19:12:10.730Z",
    "dateReserved": "2026-01-27T18:06:58.294Z",
    "dateUpdated": "2026-04-10T18:33:49.308Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25854 (GCVE-0-2026-25854)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:13 – Updated: 2026-04-10 18:22

Title

Apache Tomcat: Occasionally open redirect

Summary

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/ghct3b6o74bp2vm7q…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.1.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.0.M23 , ≤ 9.0.115 (semver) Affected: 8.5.30 , ≤ 8.5.100 (semver) Unaffected: 0 , ≤ 7.0.109 (semver)

Credits

gregk4sec (https://github.com/gregk4sec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:47.041Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/21"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-25854",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:21:57.176392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:22:34.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.0.M23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "gregk4sec (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOccasional URL redirection to untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\u003cbr\u003eOther, unsupported versions may also be affected\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Occasional URL redirection to untrusted Site (\u0027Open Redirect\u0027) vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:13:13.529Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/ghct3b6o74bp2vm7q875s1zh0dqrz3h0"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Occasionally open redirect",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-25854",
    "datePublished": "2026-04-09T19:13:13.529Z",
    "dateReserved": "2026-02-06T16:25:11.569Z",
    "dateUpdated": "2026-04-10T18:22:34.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29129 (GCVE-0-2026-29129)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:19 – Updated: 2026-04-10 18:06

Title

Apache Tomcat: TLS cipher order is not preserved

Summary

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

Configured cipher preference order not preserved
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.16 , ≤ 11.0.18 (semver) Affected: 10.1.51 , ≤ 10.1.52 (semver) Affected: 9.0.114 , ≤ 9.0.115 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:48.414Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29129",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:05:39.544150Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-327",
                "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:06:45.771Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.51",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.114",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eConfigured cipher preference order not preserved vulnerability in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Configured cipher preference order not preserved",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:19:40.645Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: TLS cipher order is not preserved",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29129",
    "datePublished": "2026-04-09T19:19:40.645Z",
    "dateReserved": "2026-03-04T08:16:56.456Z",
    "dateUpdated": "2026-04-10T18:06:45.771Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29145 (GCVE-0-2026-29145)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:20 – Updated: 2026-04-10 18:11

Title

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Summary

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled
CWE-287 - Improper Authentication

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/yz5fxmhd2j43wgqyk…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

2 products

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.1.0-M7 , ≤ 10.1.52 (semver) Affected: 9.0.83 , ≤ 9.0.115 (semver) Unaffected: 0 , ≤ 8.5.100 (semver)
Apache Software Foundation	Apache Tomcat Native	Affected: 1.1.23 , ≤ 1.1.34 (semver) Affected: 1.2.0 , ≤ 1.2.39 (semver) Affected: 1.3.0 , ≤ 1.3.6 (semver) Affected: 2.0.0 , ≤ 2.0.13 (semver)

Credits

gregk4sec (https://github.com/gregk4sec)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:49.788Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/23"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 9.1,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29145",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:10:50.492750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:11:31.014Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.0-M7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat Native",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.1.34",
              "status": "affected",
              "version": "1.1.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.2.39",
              "status": "affected",
              "version": "1.2.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "1.3.6",
              "status": "affected",
              "version": "1.3.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.0.13",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "gregk4sec (https://github.com/gregk4sec)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:20:24.601Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29145",
    "datePublished": "2026-04-09T19:20:24.601Z",
    "dateReserved": "2026-03-04T09:52:45.179Z",
    "dateUpdated": "2026-04-10T18:11:31.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-29146 (GCVE-0-2026-29146)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:21 – Updated: 2026-04-10 18:17

Title

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Summary

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

Padding Oracle
CWE-209 - Generation of Error Message Containing Sensitive Information
CWE-642 - External Control of Critical State Data

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/lzt04z2pb3dc5tk85…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.18 (semver) Affected: 10.0.0-M1 , ≤ 10.1.52 (semver) Affected: 9.0.13 , ≤ 9.0.115 (semver) Affected: 8.5.38 , ≤ 8.5.100 (semver) Affected: 7.0.100 , ≤ 7.0.109 (semver)

Credits

Uri Katz and Avi Lumelsky (Oligo Security)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:51.111Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-29146",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:17:02.531112Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-209",
                "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-642",
                "description": "CWE-642 External Control of Critical State Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:17:59.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.18",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.38",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.109",
              "status": "affected",
              "version": "7.0.100",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Uri Katz and Avi Lumelsky (Oligo Security)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePadding Oracle vulnerability in Apache Tomcat\u0027s EncryptInterceptor with default configuration.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Padding Oracle vulnerability in Apache Tomcat\u0027s EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Padding Oracle",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:21:57.289Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-29146",
    "datePublished": "2026-04-09T19:21:57.289Z",
    "dateReserved": "2026-03-04T10:35:55.231Z",
    "dateUpdated": "2026-04-10T18:17:59.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32990 (GCVE-0-2026-32990)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:23 – Updated: 2026-04-10 18:39

Title

Apache Tomcat: Fix for CVE-2025-66614 is incomplete

Summary

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation

Assigner

apache

References

1 reference

URL	Tags
https://lists.apache.org/thread/1nl9zqft0ksqlhlkd…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.15 , ≤ 11.0.19 (semver) Affected: 10.1.50 , ≤ 10.1.52 (semver) Affected: 9.0.113 , ≤ 9.0.115 (semver)

Credits

zhengg

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-32990",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:38:40.304932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:39:25.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.19",
              "status": "affected",
              "version": "11.0.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.52",
              "status": "affected",
              "version": "10.1.50",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.115",
              "status": "affected",
              "version": "9.0.113",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "zhengg"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:23:49.618Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Fix for CVE-2025-66614 is incomplete",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-32990",
    "datePublished": "2026-04-09T19:23:49.618Z",
    "dateReserved": "2026-03-17T13:55:48.216Z",
    "dateUpdated": "2026-04-10T18:39:25.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34483 (GCVE-0-2026-34483)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:30 – Updated: 2026-04-10 20:17

Title

Apache Tomcat: Incomplete escaping of JSON access logs

Summary

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/j1w7304yonlr8vo1t…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.20 (semver) Affected: 10.1.0-M1 , ≤ 10.1.53 (semver) Affected: 9.0.40 , ≤ 9.0.116 (semver) Affected: 8.5.84 , ≤ 8.5.100 (semver) Unaffected: 0 , ≤ 8.5.83 (semver)

Credits

Bartlomiej Dmitruk, striga.ai

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:53.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/26"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34483",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:16:32.864927Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:17:38.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.83",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk, striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eImproper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:30:28.874Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Incomplete escaping of JSON access logs",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34483",
    "datePublished": "2026-04-09T19:30:28.874Z",
    "dateReserved": "2026-03-30T07:40:44.705Z",
    "dateUpdated": "2026-04-10T20:17:38.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34486 (GCVE-0-2026-34486)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:35 – Updated: 2026-05-26 18:16

Title

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Summary

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-311 - Missing Encryption of Sensitive Data

Assigner

apache

References

3 references

URL	Tags
https://lists.apache.org/thread/9510k5p5zdvt9pkkg…	vendor-advisory
https://www.vicarius.io/vsociety/posts/cve-2026-3…
https://www.vicarius.io/vsociety/posts/cve-2026-3…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.20 (semver) Affected: 10.1.53 (semver) Affected: 9.0.116 (semver)

Credits

Bartlomiej Dmitruk at striga.ai

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34486",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T20:20:09.561886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T20:20:56.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-26T18:16:14.258Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2026-34486-detection-script-rce-on-apache-tomcat"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2026-34486-mitigation-script-rce-on-apache-tomcat"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "11.0.20",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "10.1.53",
              "versionType": "semver"
            },
            {
              "status": "affected",
              "version": "9.0.116",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk at striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMissing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u0026nbsp;fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the\u00a0fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-311",
              "description": "CWE-311 Missing Encryption of Sensitive Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:35:35.994Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34486",
    "datePublished": "2026-04-09T19:35:35.994Z",
    "dateReserved": "2026-03-30T07:57:49.315Z",
    "dateUpdated": "2026-05-26T18:16:14.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34487 (GCVE-0-2026-34487)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:36 – Updated: 2026-04-10 17:49

Title

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Summary

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/4xpkwolpkrj8v5xzp…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.20 (semver) Affected: 10.1.0-M1 , ≤ 10.1.53 (semver) Affected: 9.0.13 , ≤ 9.0.116 (semver)

Credits

Bartlomiej Dmitruk, striga.ai

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:54.609Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/28"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34487",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:47:28.920468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:49:44.314Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.13",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bartlomiej Dmitruk, striga.ai"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u003c/p\u003e"
            }
          ],
          "value": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532 Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:36:12.048Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34487",
    "datePublished": "2026-04-09T19:36:12.048Z",
    "dateReserved": "2026-03-30T08:10:48.531Z",
    "dateUpdated": "2026-04-10T17:49:44.314Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34500 (GCVE-0-2026-34500)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:36 – Updated: 2026-04-10 14:22

Title

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Summary

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled
CWE-287 - Improper Authentication

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/7rcl4zdxryc8hy3ht…	vendor-advisory
http://www.openwall.com/lists/oss-security/2026/0…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M14 , ≤ 11.0.20 (semver) Affected: 10.1.22 , ≤ 10.1.53 (semver) Affected: 9.0.92 , ≤ 9.0.116 (semver)

Credits

Haruki Oyama (Waseda University)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-09T23:15:55.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-34500",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T14:21:50.556349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-287",
                "description": "CWE-287 Improper Authentication",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T14:22:31.310Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.20",
              "status": "affected",
              "version": "11.0.0-M14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.53",
              "status": "affected",
              "version": "10.1.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.116",
              "status": "affected",
              "version": "9.0.92",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Haruki Oyama (Waseda University)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:36:52.857Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34500",
    "datePublished": "2026-04-09T19:36:52.857Z",
    "dateReserved": "2026-03-30T08:34:56.185Z",
    "dateUpdated": "2026-04-10T14:22:31.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-1038

CVE-2026-24880 (GCVE-0-2026-24880)

CVE-2026-25854 (GCVE-0-2026-25854)

CVE-2026-29129 (GCVE-0-2026-29129)

CVE-2026-29145 (GCVE-0-2026-29145)

CVE-2026-29146 (GCVE-0-2026-29146)

CVE-2026-32990 (GCVE-0-2026-32990)

CVE-2026-34483 (GCVE-0-2026-34483)

CVE-2026-34486 (GCVE-0-2026-34486)

CVE-2026-34487 (GCVE-0-2026-34487)

CVE-2026-34500 (GCVE-0-2026-34500)

Tags

Sightings

Nomenclature