PT-2026-31700 · Apache+2 · Apache Tomcat+2

Avi Lumelsky

+1

·

Published

2026-03-23

·

Updated

2026-05-19

·

CVE-2026-29146

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.18 Apache Tomcat versions 10.0.0-M1 through 10.1.52 Apache Tomcat versions 9.0.13 through 9.115 Apache Tomcat versions 8.5.38 through 8.5.100 Apache Tomcat versions 7.0.100 through 7.0.109
Description A Padding Oracle issue exists in the EncryptInterceptor when using the default configuration, as it utilizes CBC (Cipher Block Chaining) mode. This flaw is related to deficiencies in the error reporting mechanism, which could allow a remote attacker to perform a Padding Oracle attack to gain unauthorized access to protected information.
Recommendations Upgrade versions 11.0.0-M1 through 11.0.18 to 11.0.19. Upgrade versions 10.0.0-M1 through 10.1.52 to 10.1.53. Upgrade versions 9.0.13 through 9.115 to 9.0.116. At the moment, there is no information about a newer version that contains a fix for Apache Tomcat versions 8.5.38 through 8.5.100 and 7.0.100 through 7.0.109.

Fix

Generation of Error Message Containing Sensitive Information

Weakness Enumeration

CWE-209CWE-642

Related Identifiers

BDU:2026-05543
BIT-TOMCAT-2026-29146
CVE-2026-29146
GHSA-H468-7PVH-8VR8
MGASA-2026-0095
OESA-2026-1970
OPENSUSE-SU-2026:10547-1
OPENSUSE-SU-2026:10548-1
OPENSUSE-SU-2026:10549-1
OPENSUSE-SU-2026:20595-1
OPENSUSE-SU-2026:20611-1
OPENSUSE-SU-2026:20612-1
SUSE-SU-2026:1558-1
SUSE-SU-2026:1572-1
SUSE-SU-2026:1603-1
SUSE-SU-2026:1604-1

Affected Products

Apache Tomcat
Confluence
Red Os