CVE-2026-29129
Published: 09 April 2026
Summary
CVE-2026-29129 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrades to patched Tomcat versions that preserve configured cipher preference order.
Requires implementation of approved cryptographic mechanisms to ensure only strong ciphers are used, preventing exploitation via forced weaker cipher negotiation.
Mandates protection of transmission confidentiality using organization-defined secure mechanisms like TLS with strong cipher suites, countering the cipher preference flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of public-facing Tomcat (T1190) to force weaker ciphers via downgrade of configured preference order (T1562.010).
NVD Description
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix…
more
the issue.
Deeper analysisAI
CVE-2026-29129 is a vulnerability in Apache Tomcat where the configured cipher preference order is not preserved, affecting versions 11.0.16 through 11.0.18, 10.1.51 through 10.1.52, and 9.0.114 through 9.0.115. This issue, classified under CWE-327 (Broken or Risky Cryptographic Algorithm), has a CVSS v3.1 base score of 7.5, reflecting high severity due to its potential for confidential data exposure.
Remote attackers with network access to a vulnerable Tomcat instance can exploit this flaw with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation allows attackers to force the use of weaker ciphers than those configured by administrators, potentially enabling decryption of sensitive traffic and achieving high-impact confidentiality violations without affecting integrity or availability.
Apache advisories recommend upgrading to mitigated versions 11.0.20, 10.1.53, or 9.0.116 to address the issue. Detailed discussions are available in the Apache mailing list announcement at https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/22.
Details
- CWE(s)