Cyber Resilience

CVE-2026-34486

HighUpdated

Published: 09 April 2026

Published
09 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0140 80.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34486 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34486 is a Missing Encryption of Sensitive Data vulnerability in Apache Tomcat that arises because the prior fix for CVE-2026-29146 can be bypassed, allowing the EncryptInterceptor to be circumvented. The flaw affects Tomcat versions 11.0.20, 10.1.53, and 9.0.116 and carries a CVSS 3.1 score of 7.5 with network attack vector and high confidentiality impact under CWE-311.

An unauthenticated attacker with network access can exploit the bypass to read sensitive data that should have been protected by the interceptor, without needing user interaction or elevated privileges.

The Apache Tomcat project advises immediate upgrade to the patched releases 11.0.21, 10.1.54, or 9.0.117; the project mailing list and third-party detection and mitigation resources provide further guidance on applying the fixes. The associated EPSS score remains low with only a modest peak, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,…

more

which fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated flaw in Apache Tomcat (a public-facing application server) that bypasses EncryptInterceptor to disclose sensitive data, directly enabling exploitation of public-facing applications for confidentiality impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-43512Same product: Apache Tomcat
CVE-2026-34483Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2026-42498Same product: Apache Tomcat
CVE-2026-29146Same product: Apache Tomcat
CVE-2025-66614Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-41293Same product: Apache Tomcat
CVE-2026-29129Same product: Apache Tomcat
CVE-2026-41284Same product: Apache Tomcat

Affected Assets

apache
tomcat
10.1.53, 11.0.20, 9.0.116

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws, directly mitigating CVE-2026-34486 by upgrading Apache Tomcat to fixed versions 11.0.21, 10.1.54, or 9.0.117.

prevent

Mandates cryptographic mechanisms to protect sensitive data from unauthorized disclosure, countering the EncryptInterceptor bypass that caused missing encryption.

prevent

Implements transmission confidentiality protections, providing layered cryptographic defense against sensitive data exposure exploited via the Tomcat vulnerability.

References