CVE-2026-29129
Received Received - Intake
Cipher Preference Order Vulnerability in Apache Tomcat SSL/TLS

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29129
EUVD
EUVD-2026-21010
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache tomcat From 10.1.51 (inc) to 10.1.53 (exc)
apache tomcat From 11.0.16 (inc) to 11.0.20 (exc)
apache tomcat From 9.0.114 (inc) to 9.0.116 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Apache Tomcat involves the configured cipher preference order not being preserved. This means that the order in which cryptographic ciphers are preferred or prioritized by the server may not be maintained as intended.

Impact Analysis

If the cipher preference order is not preserved, it could lead to weaker or less secure ciphers being used during encrypted communications. This may reduce the overall security of data transmitted between clients and the server, potentially exposing sensitive information to interception or attacks.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Tomcat to versions 11.0.20, 10.1.53, or 9.0.116, which contain the fix for the issue.

Compliance Impact

The vulnerability involves the TLS cipher preference order not being preserved as configured, which could allow weaker ciphers to be selected despite administrator settings.

This could potentially weaken the security of TLS connections, which may impact compliance with security requirements in standards and regulations such as GDPR and HIPAA that mandate strong encryption practices to protect sensitive data.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Detection Guidance

This vulnerability involves the TLS cipher preference order not being preserved as configured in affected Apache Tomcat versions. Detection would involve verifying the TLS cipher order behavior on your Tomcat server.

One approach is to check the Apache Tomcat version to see if it falls within the vulnerable ranges: 11.0.16 through 11.0.18, 10.1.51 through 10.1.52, or 9.0.114 through 9.0.115.

To detect the vulnerability on your system, you can:

  • Check the Tomcat version by running: `catalina.sh version` or checking the server logs.
  • Test the TLS cipher preference order by using tools such as `openssl s_client` or `nmap` with the `--script ssl-enum-ciphers` option to observe which ciphers are negotiated.
  • Example command to test TLS ciphers with OpenSSL: `openssl s_client -connect yourserver:443 -cipher <cipher_list>` to see which cipher is accepted.
  • Use `nmap --script ssl-enum-ciphers -p 443 yourserver` to enumerate supported ciphers and their order.

If the cipher preference order does not match your configured preference, and your Tomcat version is vulnerable, the system is affected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart