Apache Tomcat bug alert
Security posts flagged critical Apache Tomcat vulnerabilities that can bypass EncryptInterceptor, and administrators are urged to patch servers immediately. The alert arrived on social channels with examples and remediation pressure for affected deployments. (x.com)
Apache Tomcat administrators are being told to patch again after Apache disclosed a new EncryptInterceptor flaw, CVE-2026-34486, on April 9. (lists.apache.org) Tomcat uses EncryptInterceptor to protect messages between clustered servers, the machines that copy sessions and other state across a group. Apache said the new bug lets that protection be bypassed in Tomcat 11.0.20, 10.1.53, and 9.0.116. (openwall.com) The new issue came from last week’s fix for CVE-2026-29146, a separate EncryptInterceptor bug that exposed clustered Tomcat deployments to a padding oracle attack. The National Vulnerability Database says that earlier flaw affected Tomcat 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. (nvd.nist.gov) Apache’s advisory lists the patched releases for the bypass bug as 11.0.21, 10.1.54, and 9.0.117. Apache rated CVE-2026-34486 “Important,” and the National Vulnerability Database entry says the bug can lead to missing encryption of sensitive data. (tomcat.apache.org, nvd.nist.gov) The timing matters for teams that patched quickly on April 9. Apache said the vulnerable versions for CVE-2026-34486 are the very releases that first fixed CVE-2026-29146, which means some administrators may have moved from one EncryptInterceptor problem straight into another. (lists.apache.org, lists.apache.org) The scope is narrower than a general Tomcat internet-wide bug. EncryptInterceptor sits in Tomcat Tribes, the clustering component, so the risk centers on deployments that use Tomcat clustering rather than every standalone web server. (socradar.io, lists.apache.org) Support status also shapes the response. Apache’s security pages say Tomcat 10.0.x and 8.5.x are end-of-life, and users on those branches need to move to supported lines because Apache will not keep issuing fixes there. (tomcat.apache.org, tomcat.apache.org) The practical takeaway is short: if a cluster was updated to 11.0.20, 10.1.53, or 9.0.116 after April 9, Apache says update once more to 11.0.21, 10.1.54, or 9.0.117. (openwall.com, tomcat.apache.org)
