Critical Apache Tomcat Flaws Let Attackers Bypass EncryptInterceptor
Key Takeaways The Apache Software Foundation has released urgent security updates for Apache Tomcat, addressing several critical vulnerabilities. A flawed initial patch introduced a new severe flaw...
Key Takeaways
- The Apache Software Foundation has released urgent security updates for Apache Tomcat, addressing several critical vulnerabilities.
- A flawed initial patch introduced a new severe flaw (CVE-2026-34486) allowing attackers to completely bypass the EncryptInterceptor.
- Other issues include a padding oracle attack (CVE-2026-29146) and a certificate authentication bypass (CVE-2026-34500).
- Multiple versions of Apache Tomcat, including 11.x, 10.x, and 9.x, are affected.
- Immediate upgrades to versions 11.0.21, 10.1.54, or 9.0.117 (or later) are crucial for all administrators.
The Apache Software Foundation has issued a series of emergency security updates for Apache Tomcat, addressing multiple vulnerabilities that could expose servers to significant risks. These advisories highlight a critical patching error that inadvertently introduced a complete interception bypass, alongside issues affecting certificate authentication and susceptibility to padding oracle attacks.
Table Of Content
System administrators are strongly advised to update their Apache Tomcat deployments without delay to mitigate potential exploitation and secure their environments.
Flawed Patch Leads to EncryptInterceptor Bypass
At the forefront of these concerns is a severe flaw stemming from an initial security patch. Researchers at Oligo Security, Uri Katz and Avi Lumelsky, first identified CVE-2026-29146, an “Important” severity vulnerability where the EncryptInterceptor component of Tomcat defaulted to using Cipher Block Chaining (CBC). This configuration made servers vulnerable to a padding oracle attack, potentially enabling malicious actors to decrypt intercepted network traffic.
To address this initial cryptographic weakness, Apache released an initial round of updates. However, this fix inadvertently introduced a new, equally critical vulnerability, tracked as CVE-2026-34486. Bartlomiej Dmitruk from striga.ai identified this subsequent flaw, which allows attackers to completely bypass the EncryptInterceptor. Organizations that applied the intermediary update versions are particularly exposed to this bypass mechanism due to the defective nature of the initial patch.
Certificate Validation Failures and Padding Oracle Attacks
In addition to the EncryptInterceptor issues, Apache has also resolved a “Moderate” severity vulnerability, CVE-2026-34500, impacting the Online Certificate Status Protocol (OCSP) checks within Tomcat. Discovered and reported by Haruki Oyama from Waseda University, this flaw manifests under specific conditions when the Foreign Function and Memory (FFM) API is in use. It causes the system to experience a soft fail during OCSP validation, even when administrators have explicitly disabled soft-failing.
The consequence is that CLIENT_CERT authentication does not fail as expected, leading to unexpected authentication behaviors that could compromise access controls and potentially allow unauthorized access.
Affected Versions and Recommended Updates
The vulnerabilities span multiple branches of Apache Tomcat. Specifically, the flawed patch that enables the EncryptInterceptor bypass (CVE-2026-34486) affects:
- Apache Tomcat 11.0.20
- Apache Tomcat 10.1.53
- Apache Tomcat 9.0.116
The broader set of vulnerabilities, including the initial padding oracle attack (CVE-2026-29146) and the certificate validation failures (CVE-2026-34500), impact an even wider range of earlier versions:
- Apache Tomcat 11.0.0-M1 through 11.0.20
- Apache Tomcat 10.1.0-M1 through 10.1.53
- Apache Tomcat 9.0.13 through 9.0.116
To fully address all three vulnerabilities—the flawed EncryptInterceptor patch, the padding oracle attack, and the OCSP certificate validation failure—administrators must upgrade their systems to the latest secure releases. The Apache Software Foundation strongly advises applying the following updates:
- Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later
- Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later
- Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later
Organizations operating older, End-of-Life (EOL) versions of Tomcat must migrate to a supported branch immediately, as these legacy systems will not receive patches for these critical flaws.
What You Should Do
- Immediately identify all Apache Tomcat instances within your environment.
- Verify the current version of each Apache Tomcat deployment.
- Prioritize upgrading all affected versions to Apache Tomcat 11.0.21, 10.1.54, or 9.0.117, or newer.
- For any End-of-Life (EOL) Tomcat versions, plan and execute a migration to a currently supported branch as soon as possible.
- Monitor Apache Software Foundation security advisories for any further updates or emerging threats related to Tomcat.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.