Description
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential exposure via logged Kubernetes bearer token
Action: Immediate Patch
AI Analysis

Impact

The Apache Tomcat cloud membership for clustering component incorrectly logs Kubernetes bearer tokens, which are highly sensitive secrets. This results in the token being written to standard log files, exposing privileged credentials and enabling an attacker to gain unauthorized access to the Kubernetes cluster and its resources. The vulnerability aligns with CWE‑532 and CWE‑538, which describe the insertion of sensitive information into logs and unrestricted log file access.

Affected Systems

Apache Tomcat versions 9.x (9.0.13‑9.0.116), 10.x (10.1.0‑M1‑10.1.53), and 11.x (11.0.0‑M1‑11.0.20) are affected. Administrators should check whether their installers fall within these ranges, as the exposure applies to the clustering component across all major releases.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high risk, while the EPSS score of less than 1% indicates a low probability of exploitation, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote read access to Tomcat log files; an adversary who can read those logs may extract the bearer token. No documented public exploit currently exists, and the issue is resolved by applying the vendor’s patch.

Generated by OpenCVE AI on April 14, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 to apply the fix
  • Confirm the deployment of the patched version and verify that the clustering component no longer logs sensitive tokens
  • If an immediate upgrade is not possible, restrict file system permissions for Tomcat log files to the minimal set of system accounts
  • Continuously monitor log files for unexpected entries to ensure no bearer tokens are being recorded

Generated by OpenCVE AI on April 14, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4m4-345f-5h5g Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File
History

Tue, 14 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-538
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Title Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Weaknesses CWE-532
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:49:44.314Z

Reserved: 2026-03-30T08:10:48.531Z

Link: CVE-2026-34487

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:54.609Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:25.203

Modified: 2026-04-14T12:44:45.573

Link: CVE-2026-34487

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:36:12Z

Links: CVE-2026-34487 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:46Z

Weaknesses