Critical Apache Tomcat Security Updates Patch Three High-Risk Vulnerabilities
The Apache Software Foundation has issued critical security updates for Tomcat to address three newly disclosed vulnerabilities affecting widely deployed enterprise web servers. These flaws pose significant risks by enabling attacks on encrypted communications, bypassing authentication mechanisms, and exposing systems to flawed patch implementations. System administrators should prioritize reviewing official advisories and applying patches immediately.
CVE-2026-29146: EncryptInterceptor Padding Oracle Attack
Discovered by Oligo Security researchers Uri Katz and Avi Lumelsky, this critical vulnerability stems from Apache Tomcat’s default use of Cipher Block Chaining (CBC) mode in the EncryptInterceptor. It enables padding oracle attacks where malicious actors can decrypt sensitive data by analyzing server responses to malformed encrypted traffic. This allows manipulation of encrypted session data.
Affected Versions:
- Tomcat 11.0.0-M1 to 11.0.18
- Tomcat 10.1.0-M1 to 10.1.52
- Tomcat 9.0.13 to 9.0.115
CVE-2026-34486: EncryptInterceptor Bypass Flaw
While addressing the padding oracle vulnerability, developers introduced a critical bypass flaw. Identified by Bartlomiej Dmitruk from striga.ai, this issue allows attackers to completely bypass EncryptInterceptor protections in patched versions. Systems running initial fixes remain exposed to traffic interception and tampering risks.
Affected Versions:
- Tomcat 11.0.20
- Tomcat 10.1.53
- Tomcat 9.0.116
CVE-2026-34500: OCSP Soft-Fail Authentication Bypass
A moderate-severity flaw discovered by Haruki Oyama at Waseda University, relates to OCSP certificate validation. When using the Foreign Function & Memory API (FFM) with disabled soft-fail, servers mistakenly trust revoked client certificates due to improper validation bypass, allowing unauthorized access.
Affected Versions:
- Tomcat 11.0.0-M14 to 11.0.20
- Tomcat 10.1.22 to 10.1.53
- Tomcat 9.0.92 to 9.0.116
Immediate Upgrade Required
To resolve all vulnerabilities, the ASF mandates upgrading to the latest releases: Tomcat 11.0.21, 10.1.54, or 9.0.117. This update ensures correct EncryptInterceptor implementation and strict client certificate authentication behavior as configured.
For detailed technical details, refer to the official Apache Tomcat Security Advisories. Implement these patches immediately to prevent potential data compromise and service disruption.