CVE-2026-29146
Published: 09 April 2026
Summary
CVE-2026-29146 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the padding oracle flaw in Tomcat's EncryptInterceptor by applying vendor patches to vulnerable versions.
Requires establishing and enforcing secure configuration settings for Tomcat to avoid the vulnerable default EncryptInterceptor configuration.
Mitigates padding oracle exploitation by ensuring error handling does not disclose sensitive information or decryption status via distinguishable responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of a padding oracle flaw in the public-facing Tomcat EncryptInterceptor directly enables T1190 (Exploit Public-Facing Application) for confidentiality impact via data decryption.
NVD Description
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade…
more
to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Deeper analysisAI
CVE-2026-29146 is a Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor when using the default configuration. The issue affects multiple versions of Apache Tomcat, specifically from 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. It is associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-642 (External Control of Critical State Data), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote attackers with network access can exploit this vulnerability without authentication, privileges, or user interaction. By leveraging the Padding Oracle attack vector, they can achieve high-impact confidentiality violations, such as decrypting sensitive data protected by the EncryptInterceptor, while integrity and availability remain unaffected.
Apache advisories recommend upgrading to mitigated versions including 11.0.19, 10.1.53, and 9.0.116. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/24.
Details
- CWE(s)