Ddos 
Apache Tomcat, the open-source backbone for millions of Java-based web applications, has been hit by a wave of security disclosures. A comprehensive audit has revealed ten distinct vulnerabilities affecting versions across the 8.5, 9.0, 10.1, and 11.0 branches. The flaws range from “Important” encryption bypasses to “Low” severity request smuggling, placing immense pressure on system administrators to patch their environments.
The most severe vulnerabilities in this set target Tomcat’s data protection mechanisms:
- EncryptInterceptor Bypass (CVE-2026-34486): In a classic case of a security fix introducing a new problem, the remediation for a previous vulnerability (CVE-2026-29146) accidentally allowed attackers to bypass the EncryptInterceptor. This leaves sensitive data unencrypted and exposed.
- Padding Oracle Attack (CVE-2026-29146): Tomcat’s EncryptInterceptor was found to be vulnerable to padding oracle attacks by default. This cryptographic flaw could allow an attacker to decrypt sensitive data without knowing the encryption key.
Several flaws impact how Tomcat handles user identity and sensitive internal data:
- OCSP Soft-Fail Flaws (CVE-2026-34500 & CVE-2026-29145): Two separate issues were found where CLIENT_CERT authentication failed to “fail as expected” when OCSP (Online Certificate Status Protocol) checks encountered errors. Even when “soft-fail” was disabled, the system occasionally allowed connections that should have been rejected.
- Kubernetes Token Exposure (CVE-2026-34487): A “low” severity but significant information leak was found in the cloud membership clustering component, which accidentally “exposed the Kubernetes bearer token” within log files.
The audit also uncovered issues in how Tomcat manages web traffic and records activity:
- Request Smuggling (CVE-2026-24880): Attackers could perform HTTP Request Smuggling by exploiting how Tomcat interprets invalid chunk extensions. This can lead to credential hijacking or the bypassing of security filters.
- Open Redirect (CVE-2026-25854): An occasional “Open Redirect” vulnerability was identified in the Load Balancer DrainingValve, potentially allowing attackers to redirect users to untrusted, malicious sites.
- JSON Logging Escape (CVE-2026-34483): The JsonAccessLogValve component suffered from “incomplete escaping,” which could allow an attacker to inject malformed data into JSON-formatted access logs.
The Apache Tomcat team has released a series of updates to close these gaps. Administrators are “recommended to upgrade” to the following versions immediately to ensure full protection:
For those using Tomcat Native, versions 1.3.7 or 2.0.14 are required to fix the OCSP authentication issues. With ten separate vulnerabilities in play, delaying your update is a risk that could leave your enterprise dataβand your Kubernetes tokensβdangerously exposed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
