Cyber Resilience

CVE-2026-29129

High

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0026 17.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29129 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2026-29129 is a vulnerability in Apache Tomcat where the configured cipher preference order is not preserved, affecting versions 11.0.16 through 11.0.18, 10.1.51 through 10.1.52, and 9.0.114 through 9.0.115. This issue, classified under CWE-327 (Broken or Risky Cryptographic Algorithm), has a CVSS v3.1 base score of 7.5, reflecting high severity due to its potential for confidential data exposure.

Remote attackers with network access to a vulnerable Tomcat instance can exploit this flaw with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation allows attackers to force the use of weaker ciphers than those configured by administrators, potentially enabling decryption of sensitive traffic and achieving high-impact confidentiality violations without affecting integrity or availability.

Apache advisories recommend upgrading to mitigated versions 11.0.20, 10.1.53, or 9.0.116 to address the issue. Detailed discussions are available in the Apache mailing list announcement at https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/22.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix…

more

the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1689 Downgrade Attack Defense Impairment
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls.
Why these techniques?

CVE enables remote unauthenticated exploitation of public-facing Tomcat (T1190) to force weaker ciphers via downgrade of configured preference order (T1562.010).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34483Same product: Apache Tomcat
CVE-2026-43512Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-41293Same product: Apache Tomcat
CVE-2026-34486Same product: Apache Tomcat
CVE-2025-66614Same product: Apache Tomcat
CVE-2026-29146Same product: Apache Tomcat
CVE-2026-42498Same product: Apache Tomcat
CVE-2026-34487Same product: Apache Tomcat

Affected Assets

apache
tomcat
9.0.114 — 9.0.116 · 10.1.51 — 10.1.53 · 11.0.16 — 11.0.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrades to patched Tomcat versions that preserve configured cipher preference order.

prevent

Requires implementation of approved cryptographic mechanisms to ensure only strong ciphers are used, preventing exploitation via forced weaker cipher negotiation.

prevent

Mandates protection of transmission confidentiality using organization-defined secure mechanisms like TLS with strong cipher suites, countering the cipher preference flaw.

References