CVE-2026-34486
Modified Modified - Updated After Analysis

Encryption Bypass Vulnerability in Apache Tomcat EncryptInterceptor

Vulnerability report for CVE-2026-34486, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-09

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to theΒ fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-09
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-04-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apache tomcat 10.1.53
apache tomcat 11.0.20
apache tomcat 9.0.116

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Users are recommended to upgrade Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, which contain fixes for this vulnerability.

Executive Summary

This vulnerability is a Missing Encryption of Sensitive Data issue in Apache Tomcat. It arises due to the fix for a previous vulnerability (CVE-2026-29146) which unintentionally allowed bypassing the EncryptInterceptor, a component responsible for encrypting sensitive data.

Affected versions include Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. The issue is resolved in versions 11.0.21, 10.1.54, and 9.0.117.

Impact Analysis

The vulnerability can lead to sensitive data not being properly encrypted, which increases the risk of data exposure or leakage. Attackers might exploit this to access confidential information that should have been protected by encryption.

Compliance Impact

The vulnerability involves missing encryption of sensitive data in Apache Tomcat, which could potentially lead to exposure of sensitive information.

Since standards like GDPR and HIPAA require protection of sensitive data through encryption and other security measures, this vulnerability could negatively impact compliance with such regulations if exploited.

Users are advised to upgrade to fixed versions to mitigate this risk and maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart