Cyber Resilience

CVE-2026-29146

High

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1292 94.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29146 is a high-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

The vulnerability is a Padding Oracle issue in Apache Tomcat's EncryptInterceptor when using the default configuration. It affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. This flaw is associated with CWEs 209 and 642 and carries a CVSS score of 7.5, indicating high impact on confidentiality.

An attacker can exploit this remotely without authentication to decrypt sensitive data by leveraging the padding oracle behavior in the encryption interceptor.

Advisories recommend upgrading to fixed versions 11.0.19, 10.1.53, and 9.0.116 to resolve the issue, as detailed in Apache Tomcat security lists and related oss-security postings. The EPSS score remains flat at 0.1292 with no material rise observed.

EU & UK References

Vulnerability details

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade…

more

to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of a padding oracle flaw in the public-facing Tomcat EncryptInterceptor directly enables T1190 (Exploit Public-Facing Application) for confidentiality impact via data decryption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34486Same product: Apache Tomcat
CVE-2026-43512Same product: Apache Tomcat
CVE-2026-34483Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2026-42498Same product: Apache Tomcat
CVE-2025-66614Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-41293Same product: Apache Tomcat
CVE-2026-29129Same product: Apache Tomcat
CVE-2026-41284Same product: Apache Tomcat

Affected Assets

apache
tomcat
7.0.100 — 7.0.109 · 8.5.38 — 8.5.100 · 9.0.13 — 9.0.116

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the padding oracle flaw in Tomcat's EncryptInterceptor by applying vendor patches to vulnerable versions.

prevent

Requires establishing and enforcing secure configuration settings for Tomcat to avoid the vulnerable default EncryptInterceptor configuration.

prevent

Mitigates padding oracle exploitation by ensuring error handling does not disclose sensitive information or decryption status via distinguishable responses.

References