Description
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise
Action: Patch Now
AI Analysis

Impact

An upgrade that intended to close a prior issue introduced a flaw where the EncryptInterceptor in Apache Tomcat is bypassed, leaving sensitive data unencrypted. This missing encryption can allow an attacker to read data that should otherwise be protected, making it a confidentiality risk. The flaw is classified as CWE‑311, Missing Encryption of Sensitive Data, and involves resource handling weaknesses per CWE‑807.

Affected Systems

The vulnerability affects Apache Tomcat versions 11.0.20, 10.1.53, and 9.0.116. Users running these releases are advised to upgrade to the next minor releases—11.0.21 for version 11.x, 10.1.54 for 10.x, and 9.0.117 for 9.x—as these patches resolve the encryption bypass.

Risk and Exploitability

The issue carries a CVSS score of 7.5, indicating a high severity, while the EPSS score is less than 1 percent, implying a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, likely over HTTP or HTTPS connections, since the vulnerability arises during request handling and could be triggered by crafted requests.

Generated by OpenCVE AI on April 14, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 to eliminate the encryption bypass flaw.

Generated by OpenCVE AI on April 14, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-69r9-qgr7-g2wj Apache Tomcat Missing Encryption of Sensitive Data vulnerability
History

Tue, 14 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:10.1.53:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.116:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-807
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Title Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Weaknesses CWE-311
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T20:20:56.605Z

Reserved: 2026-03-30T07:57:49.315Z

Link: CVE-2026-34486

cve-icon Vulnrichment

Updated: 2026-04-10T20:20:27.094Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:25.063

Modified: 2026-04-14T12:45:40.433

Link: CVE-2026-34486

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-09T19:35:35Z

Links: CVE-2026-34486 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:48Z

Weaknesses