PatchSiren cyber security CVE debrief
CVE-2026-29146 Apache CVE debrief
CVE-2026-29146 is a Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53, and 9.0.116, which fixes the issue. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on April 9, 2026, and last modified on June 30, 2026.
- Vendor
- Apache
- Product
- Tomcat
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-09
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-09
- Advisory updated
- 2026-06-30
Who should care
Apache Tomcat users and administrators should be aware of this vulnerability and take necessary actions to upgrade to a fixed version. This vulnerability can be exploited over the network, and its high severity score indicates that it could have significant impacts on affected systems. Security teams and IT professionals responsible for maintaining Apache Tomcat installations should prioritize patching.
Technical summary
The CVE-2026-29146 vulnerability is a Padding Oracle attack in Apache Tomcat's EncryptInterceptor. It occurs when using the default configuration. The affected versions of Apache Tomcat are from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited over the network with low attack complexity and no privileges required. The vulnerability allows for high confidentiality impacts but does not affect integrity or availability.
Defensive priority
High priority should be given to patching Apache Tomcat installations to address the CVE-2026-29146 vulnerability. Given the high CVSS score and the potential for network exploitation, defenders should treat this as a critical update.
Recommended defensive actions
- Upgrade Apache Tomcat to version 11.0.19, 10.1.53, or 9.0.116.
- Review and update affected versions of Apache Tomcat according to the vendor's advisory.
- Implement compensating controls such as network segmentation and monitoring for suspicious activity.
- Verify that the EncryptInterceptor is properly configured.
- Monitor for and respond to potential exploit attempts.
Evidence notes
The CVE-2026-29146 vulnerability was published on April 9, 2026, and last modified on June 30, 2026. The CVSS score is 7.5, indicating high severity. The vulnerability affects multiple versions of Apache Tomcat and can be exploited over the network. Users are recommended to upgrade to fixed versions of Apache Tomcat.
Official resources
-
CVE-2026-29146 CVE record
CVE.org
-
CVE-2026-29146 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.