Vulnerability Overview
Apache Tomcat 9.0.116, 10.1.53, and 11.0.20 are associated with CVE-2026-34486, an EncryptInterceptor bypass that followed the incomplete fix for CVE-2026-29146. Apache and NVD describe this as missing encryption of sensitive data in affected Tomcat clustering scenarios.
Attacker Impact
When an affected Tomcat runtime is deployed with the relevant clustering configuration and network boundary, traffic that operators expect to be protected by EncryptInterceptor may not receive the intended confidentiality protection. A dependency or version match alone does not prove that clustering is enabled, that EncryptInterceptor is configured, that cluster receiver traffic is reachable, or that sensitive data crossed the affected path.
Covered by FixVibe
FixVibe GitHub repo scans can flag Maven and Gradle build files that resolve exact Tomcat releases associated with CVE-2026-34486. The finding reports the package coordinate, version, file path, advisory sources, confidence, and fixed release line as version-based advisory evidence.
FixVibe does not run Tomcat, inspect build machines or external deployments, prove clustering is enabled, prove EncryptInterceptor is active, intercept cluster traffic, send crafted Tribes packets, disable encryption for comparison, or claim plaintext-disclosure confirmation.
Remediation
Upgrade the active Tomcat release line to 9.0.117, 10.1.54, 11.0.21, or newer. Align direct Tomcat modules, Tomcat BOMs, Spring Boot-managed Tomcat versions, Gradle constraints, and container base images so the deployed WAR, JAR, image, or external server no longer carries 9.0.116, 10.1.53, or 11.0.20. If clustering is used, review the deployed cluster configuration after the upgrade to confirm EncryptInterceptor remains intentionally configured and protected by the expected network controls.
