CVE-2026-34487
Received Received - Intake
Sensitive Data Exposure via Log Injection in Apache Tomcat Clustering

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34487
EUVD
EUVD-2026-21057
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache tomcat From 10.1.0 (inc) to 10.1.54 (exc)
apache tomcat From 11.0.0 (inc) to 11.0.21 (exc)
apache tomcat From 9.0.13 (inc) to 9.0.117 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the insertion of sensitive information into a log file within the cloud membership for the clustering component of Apache Tomcat.

Specifically, it exposes the Kubernetes bearer token, which is a sensitive credential used for authentication.

The issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.20, 10.1.0-M1 through 10.1.53, and 9.0.13 through 9.0.116.

Users are advised to upgrade to fixed versions 11.0.21, 10.1.54, or 9.0.117 to resolve this issue.

Impact Analysis

The exposure of the Kubernetes bearer token in log files can lead to unauthorized access to Kubernetes clusters.

Attackers who gain access to these logs could use the token to impersonate legitimate users or services, potentially leading to data breaches or unauthorized control over cloud resources.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, which contain the fix for the issue.

Compliance Impact

The vulnerability involves the insertion of sensitive information, specifically the Kubernetes bearer token, into log files. Exposure of such sensitive tokens can lead to unauthorized access risks within Kubernetes environments.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of sensitive authentication tokens in logs could potentially lead to violations of data protection and security requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34487. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart