CVE-2026-29146PATCHED

apache software foundation · apache tomcat

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Description

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache tomcat	11.0.0-M1, 10.0.0-M1, 9.0.13, 8.5.38, 7.0.100, 11.0.20

References

https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w(vendor-advisory)

Related News (3 articles)

Tier C

oss-security2h ago

CVE-2026-34486: Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

→ No new info (linked only)

Tier C

oss-security3h ago

CVE-2026-29146: Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

→ No new info (linked only)

Tier C

VulDB5h ago

CVE-2026-29146 | Apache Tomcat up to 7.0.109/8.5.100/9.0.115/10.1.52/11.0.18 EncryptInterceptor reliance on obfuscation or encryption of security-relevant inputs without integrity checking

→ No new info (linked only)

CVSS 3.17.5 IMPORTANT

CISA KEV❌ No

Actively exploited❌ No

Patch available

11.0.21

PublishedApr 9, 2026

Last enriched2h agov3

Trending Score32

Source articles3

Independent2

Info Completeness8/14

Missing: epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

Trending: 58

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

Trending: 53

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Trending: 52

LOWCVE-2026-34483EXP

Apache Tomcat: Incomplete escaping of JSON access logs

Trending: 52

NONECVE-2026-29129EXP

Apache Tomcat: TLS cipher order is not preserved

Trending: 51

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity, cvssEstimate, cweIds

Apr 9, 2026

Patch Available

Apr 9, 2026

Updated: affectedVersions, severity, patchAvailable

Apr 9, 2026

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated affected versions to include 11.0.20, changed severity to IMPORTANT, and provided new patch version 11.0.21.

affectedVersionsseveritypatchAvailable

via oss-security

v2Tier C5h ago

Updated description with new technical details, changed severity to HIGH, set CVSS estimate to 7.5, added CWE-310, and corrected exploit availability status.

descriptionseveritycvssEstimatecweIds

via VulDB

v16h ago

Initial creation