CVE-2026-34486: Apache Tomcat Missing Encryption of Sensitive Data vulnerability
(updated )
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
References
- github.com/advisories/GHSA-69r9-qgr7-g2wj
- github.com/apache/tomcat/commit/1fab40ccc752e22639eccfe290d5624afad7eccd
- github.com/apache/tomcat/commit/55f3eb9148233054fccfdf761141c6894a050be1
- github.com/apache/tomcat/commit/776e12b3e2b0b4507b8a3b62c187ceb0b74bf418
- lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
- nvd.nist.gov/vuln/detail/CVE-2026-34486
- tomcat.apache.org/security-10.html
- tomcat.apache.org/security-11.html
- tomcat.apache.org/security-9.html
- www.herodevs.com/vulnerability-directory/cve-2026-34486
Code Behaviors & Features
Detect and mitigate CVE-2026-34486 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →