CVE-2026-34486
Modified Modified - Updated After Analysis
Encryption Bypass Vulnerability in Apache Tomcat EncryptInterceptor

Publication date: 2026-04-09

Last updated on: 2026-05-26

Assigner: Apache Software Foundation

Description
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to theΒ fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34486
EUVD
EUVD-2026-21056
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache tomcat 10.1.53
apache tomcat 11.0.20
apache tomcat 9.0.116
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Encryption of Sensitive Data issue in Apache Tomcat. It arises due to the fix for a previous vulnerability (CVE-2026-29146) which unintentionally allowed bypassing the EncryptInterceptor, a component responsible for encrypting sensitive data.

Affected versions include Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. The issue is resolved in versions 11.0.21, 10.1.54, and 9.0.117.

Mitigation Strategies

Users are recommended to upgrade Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, which contain fixes for this vulnerability.

Impact Analysis

The vulnerability can lead to sensitive data not being properly encrypted, which increases the risk of data exposure or leakage. Attackers might exploit this to access confidential information that should have been protected by encryption.

Compliance Impact

The vulnerability involves missing encryption of sensitive data in Apache Tomcat, which could potentially lead to exposure of sensitive information.

Since standards like GDPR and HIPAA require protection of sensitive data through encryption and other security measures, this vulnerability could negatively impact compliance with such regulations if exploited.

Users are advised to upgrade to fixed versions to mitigate this risk and maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart