Description
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Escalated risk of exposure of Kubernetes bearer tokens through log files
Action: Immediate Patch
AI Analysis

Impact

Received information indicating that the cloud membership module of Apache Tomcat logs the Kubernetes bearer token directly into plain text log files. The vulnerability can lead to disclosure of a credential that grants privileged access to the cluster, potentially enabling further lateral movement or unauthorized resource manipulation. The weakness identified aligns with CWE‑532, the insertion of sensitive information into logs.

Affected Systems

Apache Tomcat 11.0.0‑M1 through 11.0.20, Apache Tomcat 10.1.0‑M1 through 10.1.53, and Apache Tomcat 9.0.13 through 9.0.116 are affected. Any deployment of these versions within a Kubernetes environment is at risk until upgraded.

Risk and Exploitability

The exploit requires the attacker to have legitimate access to the Tomcat log directory or the ability to read logs sent to a remote syslog server. While the public CVSS score is not provided, the presence of a bearer token in logs represents high confidentiality loss, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation yet; however, the severity of potential credential compromise warrants immediate attention.

Generated by OpenCVE AI on April 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Tomcat 11.0.21, 10.1.54, or 9.0.117, which eliminate the logging of sensitive tokens.
  • Inspect existing log files for unintended token exposure and rotate or delete compromised tokens if found.
  • Limit file system and network access to Tomcat log directories to prevent unauthorized reading of log content.

Generated by OpenCVE AI on April 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-538
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

threat_severity

Low

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Title Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Weaknesses CWE-532
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:49:44.314Z

Reserved: 2026-03-30T08:10:48.531Z

Link: CVE-2026-34487

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:54.609Z

cve-icon NVD

Status : Received

Published: 2026-04-09T20:16:25.203

Modified: 2026-04-10T18:16:43.713

Link: CVE-2026-34487

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-09T19:36:12Z

Links: CVE-2026-34487 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:30Z

Weaknesses