PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59084 Apache Software Foundation CVE debrief

Apache Tomcat has an Insufficient Technical Documentation vulnerability. The EncryptInterceptor configuration requirements were not clearly documented. This issue affects multiple Apache Tomcat versions, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to review and upgrade to fixed versions. The vulnerability stems from insufficient technical documentation for configuring the EncryptInterceptor in Apache Tomcat.

Vendor
Apache Software Foundation
Product
Apache Tomcat
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of Apache Tomcat versions from 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109 should review and upgrade to fixed versions. This includes operators, security teams, and platform administrators responsible for Apache Tomcat deployments.

Technical summary

The vulnerability stems from insufficient technical documentation for configuring the EncryptInterceptor in Apache Tomcat. This oversight affects multiple versions of Apache Tomcat, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.24, 10.1.57, or 9.0.120, which fix the issue. Other versions that have reached end of support may also be affected.

Defensive priority

Medium

Recommended defensive actions

  • Review Apache Tomcat configurations for EncryptInterceptor
  • Upgrade to Apache Tomcat version 11.0.24, 10.1.57, or 9.0.120
  • Verify documentation for EncryptInterceptor configuration
  • Check for other affected versions and apply fixes accordingly
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-14T09:16:41.607Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects multiple Apache Tomcat versions, including 11.0.0-M1 through 11.0.23, 10.1.0-M1 through 10.1.56, 9.0.13 through 9.0.119, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.24, 10.1.57, or 9.0.120, which fix the issue. Other versions that have reached end of support may also be affected. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T09:16:41.607Z and has not been modified since then.