CVE-2026-29146PATCHED

apache software foundation · apache tomcat

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Description

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache tomcat	11.0.0-M1, 10.0.0-M1, 9.0.13, 8.5.38, 7.0.100, 11.0.20

References

https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w(vendor-advisory)

Related News (3 articles)

Tier C

oss-security4h ago

CVE-2026-34486: Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

→ No new info (linked only)

Tier C

oss-security5h ago

CVE-2026-29146: Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

→ No new info (linked only)

Tier C

VulDB7h ago

CVE-2026-29146 | Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18 EncryptInterceptor reliance on obfuscation or encryption of security-relevant inputs without integrity checking

→ No new info (linked only)

CVSS 3.17.5 IMPORTANT

CISA KEV❌ No

Actively exploited❌ No

Patch available

11.0.21

PublishedApr 9, 2026

Last enriched3h agov3

Trending Score32

Source articles3

Independent2

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-35554

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

Trending: 36

MEDIUMCVE-2026-34500

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Trending: 34

NONECVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

Trending: 31

NONECVE-2026-25854

Apache Tomcat: Occasionally open redirect

Trending: 31

NONECVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Trending: 31

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, cvssEstimate, cweIds

Apr 9, 2026

Patch Available

Apr 9, 2026

Updated: affectedVersions, severity, patchAvailable

Apr 9, 2026

Version History

Last enriched 3h ago

v3Tier C3h ago

Updated affected versions to include 11.0.20, changed severity to IMPORTANT, and provided new patch version 11.0.21.

affectedVersionsseveritypatchAvailable

via oss-security

v2Tier C6h ago

Updated description with new technical details, changed severity to HIGH, set CVSS estimate to 7.5, added CWE-310, and corrected exploit availability status.

descriptionseveritycvssEstimatecweIds

via VulDB

v18h ago

Initial creation