PatchSiren cyber security CVE debrief
CVE-2026-59084 Apache Software Foundation CVE debrief
Apache Tomcat has an Insufficient Technical Documentation vulnerability. The EncryptInterceptor configuration requirements were not clearly documented. This issue affects multiple Apache Tomcat versions, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to review and upgrade to fixed versions. The vulnerability stems from insufficient technical documentation for configuring the EncryptInterceptor in Apache Tomcat.
- Vendor
- Apache Software Foundation
- Product
- Apache Tomcat
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Apache Tomcat versions from 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109 should review and upgrade to fixed versions. This includes operators, security teams, and platform administrators responsible for Apache Tomcat deployments.
Technical summary
The vulnerability stems from insufficient technical documentation for configuring the EncryptInterceptor in Apache Tomcat. This oversight affects multiple versions of Apache Tomcat, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.24, 10.1.57, or 9.0.120, which fix the issue. Other versions that have reached end of support may also be affected.
Defensive priority
Medium
Recommended defensive actions
- Review Apache Tomcat configurations for EncryptInterceptor
- Upgrade to Apache Tomcat version 11.0.24, 10.1.57, or 9.0.120
- Verify documentation for EncryptInterceptor configuration
- Check for other affected versions and apply fixes accordingly
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-14T09:16:41.607Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects multiple Apache Tomcat versions, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.24, 10.1.57, or 9.0.120, which fix the issue. Other versions that have reached end of support may also be affected. Evidence is limited to CVE and NVD details.
Official resources
-
CVE-2026-59084 CVE record
CVE.org
-
CVE-2026-59084 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.607Z and has not been modified since then.