CVE-2026-29129

EUVD-2026-21010
Configured cipher preference order not preserved vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
apacheCNA
UNKNOWN
---
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apachetomcat
11.0.16 ≤
𝑥
≤ 11.0.18
CNA
apachetomcat
10.1.51 ≤
𝑥
≤ 10.1.52
CNA
apachetomcat
9.0.114 ≤
𝑥
≤ 9.0.115
CNA
References
https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f