PT-2026-31712 · Apache · Apache Tomcat

Bartlomiej Dmitruk

·

Published

2026-04-02

·

Updated

2026-07-08

·

CVE-2026-34486

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat version 11.0.20 Apache Tomcat version 10.1.53 Apache Tomcat version 9.0.116
Description A flaw exists where the EncryptInterceptor, a component designed to ensure data encryption, can be bypassed. This issue was introduced as a result of a fix for a previous vulnerability. The bypass allows sensitive data to remain unencrypted, which may enable a remote attacker to gain unauthorized access to protected information and lead to information disclosure.
Recommendations Update version 11.0.20 to 11.0.21 Update version 10.1.53 to 10.1.54 Update version 9.0.116 to 9.0.117

Exploit

Fix

RCE

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALSA-2026:36879
BDU:2026-05544
BIT-TOMCAT-2026-34486
CVE-2026-34486
GHSA-69R9-QGR7-G2WJ
MGASA-2026-0095
OESA-2026-1970
OPENSUSE-SU-2026:10547-1
OPENSUSE-SU-2026:10548-1
OPENSUSE-SU-2026:10549-1
OPENSUSE-SU-2026:20595-1
OPENSUSE-SU-2026:20611-1
OPENSUSE-SU-2026:20612-1
SUSE-SU-2026:1558-1
SUSE-SU-2026:1572-1
SUSE-SU-2026:1603-1
SUSE-SU-2026:1604-1
SUSE-SU-2026:21366-1
SUSE-SU-2026:21378-1
SUSE-SU-2026:21379-1

Affected Products

Apache Tomcat