Apache Tomcat Flaws Let Attackers Bypass EncryptInterceptor

In response to multiple vulnerabilities, The Apache Software Foundation has issued emergency security updates for Apache Tomcat.

The latest advisories highlight a critical patching error that inadvertently exposed servers to an interception bypass, as well as issues affecting certificate authentication and padding-oracle attacks.

Administrators must update their deployments immediately to secure their environments against potential exploitation.

EncryptInterceptor Bypass and Padding Oracle Attacks

The most pressing issue stems from a flawed security patch. Initially, security researchers discovered CVE-2026-29146, an “Important” severity flaw where the EncryptInterceptor used Cipher Block Chaining (CBC) by default.

This configuration left the server vulnerable to a padding oracle attack, potentially allowing malicious actors to decrypt intercepted traffic.

Oligo Security researchers Uri Katz and Avi Lumelsky identified and reported this initial cryptographic weakness. To resolve the padding oracle threat, Apache released an initial round of updates.

However, the fix introduced a new, equally severe vulnerability tracked as CVE-2026-34486.

Identified by Bartlomiej Dmitruk from striga.ai, this subsequent flaw allowed attackers to bypass the EncryptInterceptor completely.

Because the initial patch was defective, organizations running the intermediary update versions are currently exposed to this bypass mechanism.

Alongside the EncryptInterceptor issues, Apache addressed a “Moderate” severity vulnerability tracked as CVE-2026-34500. This flaw impacts the Online Certificate Status Protocol (OCSP) checks within Tomcat.

Under specific conditions, when the Foreign Function and Memory (FFM) API is used, the system experiences a soft fail during OCSP validation, even if the administrator explicitly disabled soft-failing.

Consequently, CLIENT_CERT authentication does not fail as expected, creating unexpected authentication behaviors that could compromise access controls.

Haruki Oyama from Waseda University discovered and reported this (CVE-2026-34500) certificate validation error. The vulnerabilities impact multiple branches of Apache Tomcat. The flawed patch that allows the EncryptInterceptor bypass (CVE-2026-34486) specifically affects these exact releases:

• Apache Tomcat 11.0.20
• Apache Tomcat 10.1.53
• Apache Tomcat 9.0.116

The broader vulnerabilities, including the initial padding oracle attack and the certificate validation failures, impact a wider range of earlier versions:

• Apache Tomcat 11.0.0-M1 through 11.0.20
• Apache Tomcat 10.1.0-M1 through 10.1.53
• Apache Tomcat 9.0.13 through 9.0.116

To resolve all three vulnerabilities, including the flawed EncryptInterceptor patch and the OCSP certificate validation failure, administrators must upgrade their systems to the latest secure releases.

The Apache Software Foundation strongly recommends applying the following updates:

• Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later
• Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later
• Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later

Organizations running older, End-of-Life (EOL) versions of Tomcat should migrate to a supported branch immediately, as these legacy systems will not receive patches for the padding oracle attack or subsequent bypass flaws.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.