HIGHCVE-2026-29146Published 2026-04-09Modified 2026-04-10CNA apache

CVE-2026-29146: Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Apache Software Foundation / Apache Tomcat
≤ 11.0.18 · ≤ 10.1.52 · ≤ 9.0.115 · ≤ 8.5.100 · ≤ 7.0.109

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

lists.apache.org

Metrics