CVE-2026-29146

EUVD-2026-21012
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.100 ≤
𝑥
≤ 7.0.109
apachetomcat
8.5.38 ≤
𝑥
≤ 8.5.100
apachetomcat
9.0.13 ≤
𝑥
< 9.0.116
apachetomcat
10.0.0 ≤
𝑥
< 10.1.53
apachetomcat
11.0.0 ≤
𝑥
< 11.0.20
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
vulnerable
bookworm (security)
10.1.55-1~deb12u1
fixed
forky
10.1.55-1
fixed
sid
10.1.55-1
fixed
trixie
vulnerable
trixie (security)
10.1.55-1~deb13u1
fixed
tomcat11
forky
11.0.22-2
fixed
sid
11.0.22-2
fixed
trixie
vulnerable
trixie (security)
11.0.22-1~deb13u1
fixed
tomcat9
bookworm
9.0.70-2
fixed
bullseye
vulnerable
bullseye (security)
9.0.118-0+deb11u1
fixed
forky
9.0.118-1
fixed
sid
9.0.118-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat10
jammy
dne
noble
needed
questing
needed
resolute
needed
tomcat11
jammy
dne
noble
dne
questing
needed
resolute
needed
tomcat6
jammy
dne
noble
dne
questing
dne
resolute
dne
trusty
not-affected
xenial
ignored
tomcat7
bionic
not-affected
jammy
dne
noble
dne
questing
dne
resolute
dne
trusty
not-affected
xenial
ignored
tomcat8
bionic
needed
jammy
dne
noble
dne
questing
dne
resolute
dne
xenial
not-affected
tomcat9
bionic
needed
focal
needed
jammy
needed
noble
needed
questing
needed
resolute
needed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-admin-webapps
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-el-3_0-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-lib
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-webapps
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat10
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-admin-webapps
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-el-5_0-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-jsp-3_1-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-lib
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-servlet-6_0-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-webapps
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat11
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-admin-webapps
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-el-6_0-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-jsp-4_0-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-lib
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-servlet-6_1-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-webapps
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tomcat10
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-admin-webapps
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-docs-webapp
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-el-5.0-api
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-jsp-3.1-api
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-lib
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-servlet-6.0-api
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat10-webapps
Amazon Linux 2023
1:10.1.54-1.amzn2023.0.1
fixed
tomcat9
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-admin-webapps
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-docs-webapp
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-el-3.0-api
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-jsp-2.3-api
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-lib
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-servlet-4.0-api
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed
tomcat9-webapps
Amazon Linux 2023
1:9.0.117-1.amzn2023.0.1
fixed