CVE-2026-34486 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Tomcat in clustered configurations with EncryptInterceptor enabled, particularly those with cluster replication traffic traversing untrusted networks. Security teams responsible for Java application server infrastructure and compliance officers concerned with data-in-transit encryption requirements.

Technical summary

Apache Tomcat's EncryptInterceptor, which provides encryption for cluster replication traffic, can be bypassed due to a flaw introduced by the fix for CVE-2026-29146. This creates a missing encryption condition (CWE-311) where sensitive data transmitted between Tomcat cluster nodes may be sent without cryptographic protection. The vulnerability affects specific point releases: 9.0.116, 10.1.53, and 11.0.20. Attackers with network access to cluster communication channels can intercept confidential data without authentication or user interaction. The vulnerability does not affect data integrity or availability. Resolution requires upgrading to the subsequent patch releases: 9.0.117, 10.1.54, or 11.0.21.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Apache Tomcat to version 9.0.117, 10.1.54, or 11.0.21 or later
• Verify EncryptInterceptor configuration is active in cluster deployments
• Review Tomcat cluster communication for sensitive data exposure
• Monitor for unauthorized access to cluster replication traffic
• Apply patches immediately for internet-facing Tomcat cluster instances

Evidence notes

The vulnerability description explicitly states this is a regression from CVE-2026-29146 fix allowing EncryptInterceptor bypass. CPE criteria confirm exact affected versions without range ambiguity. CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates confidentiality impact only.

Official resources