CVE-2026-34486
Published: 09 April 2026
Summary
CVE-2026-34486 is a high-severity Missing Encryption of Sensitive Data (CWE-311) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-34486 is a Missing Encryption of Sensitive Data vulnerability in Apache Tomcat that arises because the prior fix for CVE-2026-29146 can be bypassed, allowing the EncryptInterceptor to be circumvented. The flaw affects Tomcat versions 11.0.20, 10.1.53, and 9.0.116 and carries a CVSS 3.1 score of 7.5 with network attack vector and high confidentiality impact under CWE-311.
An unauthenticated attacker with network access can exploit the bypass to read sensitive data that should have been protected by the interceptor, without needing user interaction or elevated privileges.
The Apache Tomcat project advises immediate upgrade to the patched releases 11.0.21, 10.1.54, or 9.0.117; the project mailing list and third-party detection and mitigation resources provide further guidance on applying the fixes. The associated EPSS score remains low with only a modest peak, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21056
Vulnerability details
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117,…
more
which fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated flaw in Apache Tomcat (a public-facing application server) that bypasses EncryptInterceptor to disclose sensitive data, directly enabling exploitation of public-facing applications for confidentiality impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws, directly mitigating CVE-2026-34486 by upgrading Apache Tomcat to fixed versions 11.0.21, 10.1.54, or 9.0.117.
Mandates cryptographic mechanisms to protect sensitive data from unauthorized disclosure, countering the EncryptInterceptor bypass that caused missing encryption.
Implements transmission confidentiality protections, providing layered cryptographic defense against sensitive data exposure exploited via the Tomcat vulnerability.