Cyber Posture

CVE-2026-34486

High

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0001 1.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34486 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws, directly mitigating CVE-2026-34486 by upgrading Apache Tomcat to fixed versions 11.0.21, 10.1.54, or 9.0.117.

SC-13 Cryptographic Protection good match
prevent

Mandates cryptographic mechanisms to protect sensitive data from unauthorized disclosure, countering the EncryptInterceptor bypass that caused missing encryption.

SC-8 Transmission Confidentiality and Integrity partial match
prevent

Implements transmission confidentiality protections, providing layered cryptographic defense against sensitive data exposure exploited via the Tomcat vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote unauthenticated flaw in Apache Tomcat (a public-facing application server) that bypasses EncryptInterceptor to disclose sensitive data, directly enabling exploitation of public-facing applications for confidentiality impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,…

more

which fix the issue.

Deeper analysisAI

CVE-2026-34486 is a Missing Encryption of Sensitive Data vulnerability (CWE-311) in Apache Tomcat, arising from the fix implemented for CVE-2026-29146 that enables bypass of the EncryptInterceptor. This issue affects Apache Tomcat versions 11.0.20, 10.1.53, and 9.0.116.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning unauthenticated attackers can exploit it remotely over the network with low attack complexity and no user interaction required. Exploitation results in high-impact confidentiality loss, allowing disclosure of sensitive data that should have been protected by encryption.

Apache Tomcat advisories recommend upgrading to mitigated versions 11.0.21, 10.1.54, or 9.0.117 to address the bypass. Further details are provided in the official announcement at https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly.

Details

CWE(s)
CWE-311

Affected Products

apache
tomcat
10.1.53, 11.0.20, 9.0.116

CVEs Like This One

CVE-2025-66614Same product: Apache Tomcat
CVE-2026-29146Same product: Apache Tomcat
CVE-2026-34483Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2026-29129Same product: Apache Tomcat
CVE-2026-34487Same product: Apache Tomcat
CVE-2026-29145Same product: Apache Tomcat
CVE-2026-24734Same product: Apache Tomcat
CVE-2024-55532Same vendor: Apache

References