CVE-2026-34486

Name of the Vulnerable Software and Affected Versions Apache Tomcat version 11.0.20 Apache Tomcat version 10.1.53 Apache Tomcat version 9.0.116

Description A fail-open regression in the Tribes clustering component allows the EncryptInterceptor to be bypassed. This occurs because failed decryption attempts are incorrectly forwarded to internal Java deserialization logic instead of being dropped. A remote, unauthenticated attacker can exploit this by sending unencrypted network packets to the Tribes receiver (TCP/4000). If usable gadget classes are present on the classpath, this can lead to arbitrary code execution. This issue stems from a previous fix where a line of code was moved outside a try block, causing the encryption layer to forward failed decryptions to unfiltered deserialization.

Recommendations Update Apache Tomcat version 11.0.20 to 11.0.21. Update Apache Tomcat version 10.1.53 to 10.1.54. Update Apache Tomcat version 9.0.116 to 9.0.117.