FixVibe
FixVibe kapsamındadırhigh

Apache Tomcat EncryptInterceptor Bypass (CVE-2026-34486)

FixVibe covers CVE-2026-34486 as a repo-scan version advisory for exact Apache Tomcat releases, while keeping clustering and plaintext-disclosure conditions explicit.

CVE-2026-34486GHSA-69r9-qgr7-g2wjCWE-311

Vulnerability Overview

Apache Tomcat 9.0.116, 10.1.53, and 11.0.20 are associated with CVE-2026-34486, an EncryptInterceptor bypass that followed the incomplete fix for CVE-2026-29146. Apache and NVD describe this as missing encryption of sensitive data in affected Tomcat clustering scenarios.

Attacker Impact

When an affected Tomcat runtime is deployed with the relevant clustering configuration and network boundary, traffic that operators expect to be protected by EncryptInterceptor may not receive the intended confidentiality protection. A dependency or version match alone does not prove that clustering is enabled, that EncryptInterceptor is configured, that cluster receiver traffic is reachable, or that sensitive data crossed the affected path.

Covered by FixVibe

FixVibe GitHub repo scans can flag Maven and Gradle build files that resolve exact Tomcat releases associated with CVE-2026-34486. The finding reports the package coordinate, version, file path, advisory sources, confidence, and fixed release line as version-based advisory evidence.

FixVibe does not run Tomcat, inspect build machines or external deployments, prove clustering is enabled, prove EncryptInterceptor is active, intercept cluster traffic, send crafted Tribes packets, disable encryption for comparison, or claim plaintext-disclosure confirmation.

Remediation

Upgrade the active Tomcat release line to 9.0.117, 10.1.54, 11.0.21, or newer. Align direct Tomcat modules, Tomcat BOMs, Spring Boot-managed Tomcat versions, Gradle constraints, and container base images so the deployed WAR, JAR, image, or external server no longer carries 9.0.116, 10.1.53, or 11.0.20. If clustering is used, review the deployed cluster configuration after the upgrade to confirm EncryptInterceptor remains intentionally configured and protected by the expected network controls.

Apache Tomcat EncryptInterceptor Bypass (CVE-2026-34486) — FixVibe research · FixVibe