CVE-2026-29146
Published: 09 April 2026
Summary
CVE-2026-29146 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Deeper analysis
The vulnerability is a Padding Oracle issue in Apache Tomcat's EncryptInterceptor when using the default configuration. It affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. This flaw is associated with CWEs 209 and 642 and carries a CVSS score of 7.5, indicating high impact on confidentiality.
An attacker can exploit this remotely without authentication to decrypt sensitive data by leveraging the padding oracle behavior in the encryption interceptor.
Advisories recommend upgrading to fixed versions 11.0.19, 10.1.53, and 9.0.116 to resolve the issue, as detailed in Apache Tomcat security lists and related oss-security postings. The EPSS score remains flat at 0.1292 with no material rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21012
Vulnerability details
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade…
more
to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of a padding oracle flaw in the public-facing Tomcat EncryptInterceptor directly enables T1190 (Exploit Public-Facing Application) for confidentiality impact via data decryption.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the padding oracle flaw in Tomcat's EncryptInterceptor by applying vendor patches to vulnerable versions.
Requires establishing and enforcing secure configuration settings for Tomcat to avoid the vulnerable default EncryptInterceptor configuration.
Mitigates padding oracle exploitation by ensuring error handling does not disclose sensitive information or decryption status via distinguishable responses.