CVE-2026-34487
Published: 09 April 2026
Summary
CVE-2026-34487 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-9 (Protection of Audit Information).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely flaw remediation including patching the specific Tomcat vulnerability that inserts the Kubernetes bearer token into logs.
Requires protection of audit and log information to prevent unauthorized access to Tomcat log files containing the exposed bearer token.
Monitors audit records for indications of information disclosure such as the Kubernetes bearer token logged by the vulnerable Tomcat component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly causes Kubernetes bearer tokens to be written to log files, enabling attackers to extract unsecured credentials from files (T1552.001) via network access to the logs.
NVD Description
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.…
more
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Deeper analysisAI
CVE-2026-34487 is an Insertion of Sensitive Information into Log File vulnerability (CWE-532) in the cloud membership for clustering component of Apache Tomcat. This flaw causes the Kubernetes bearer token to be exposed in log files. It affects Apache Tomcat versions from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, and from 9.0.13 through 9.0.116. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility and no authentication required.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges or user interaction needed. By accessing the Tomcat log files, they can extract the Kubernetes bearer token, potentially enabling unauthorized access to the Kubernetes cluster for further compromise, such as privilege escalation or lateral movement within the environment.
Apache advisories recommend upgrading to mitigated versions 11.0.21, 10.1.54, or 9.0.117 to address the issue. Detailed announcements are available in the Apache mailing list thread at https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/28.
Details
- CWE(s)