CVE-2026-34486

EUVD-2026-21056
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
Affected Products (NVD)
VendorProductVersion
apachetomcat
9.0.116
apachetomcat
10.1.53
apachetomcat
11.0.20
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
10.1.52-1~deb12u1
fixed
bookworm (security)
10.1.52-1~deb12u1
fixed
forky
10.1.54-1
fixed
sid
10.1.54-1
fixed
trixie
10.1.52-1~deb13u1
fixed
trixie (security)
10.1.52-1~deb13u1
fixed
tomcat11
forky
11.0.21-1
fixed
sid
11.0.22-2
fixed
trixie
11.0.15-1~deb13u1
fixed
trixie (security)
11.0.15-1~deb13u1
fixed
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.107-0+deb11u2
fixed
forky
9.0.115-1
fixed
sid
9.0.115-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
jammy
dne
noble
dne
questing
dne
resolute
dne
trusty
needs-triage
xenial
ignored
tomcat7
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
resolute
dne
trusty
needs-triage
xenial
ignored
tomcat8
bionic
needs-triage
jammy
dne
noble
dne
questing
dne
resolute
dne
xenial
needs-triage
tomcat9
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
resolute
needs-triage
tomcat10
jammy
dne
noble
needs-triage
questing
needs-triage
resolute
needs-triage
tomcat11
jammy
dne
noble
dne
questing
needs-triage
resolute
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-admin-webapps
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-el-3_0-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-lib
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat-webapps
suse enterprise sap 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise sap 15 SP7
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP4
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP5
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP6
9.0.117-150200.105.1
fixed
suse enterprise server 15 SP7
9.0.117-150200.105.1
fixed
tomcat10
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-admin-webapps
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-el-5_0-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-jsp-3_1-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-lib
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-servlet-6_0-api
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat10-webapps
suse enterprise sap 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise sap 15 SP7
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP5
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP6
10.1.54-150200.5.64.1
fixed
suse enterprise server 15 SP7
10.1.54-150200.5.64.1
fixed
tomcat11
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-admin-webapps
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-el-6_0-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-jsp-4_0-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-lib
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-servlet-6_1-api
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
tomcat11-webapps
suse enterprise sap 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise sap 15 SP7
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP6
11.0.21-150600.13.18.1
fixed
suse enterprise server 15 SP7
11.0.21-150600.13.18.1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly