{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29129", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-04T08:16:56.456Z", "datePublished": "2026-04-09T19:19:40.645Z", "dateUpdated": "2026-04-09T23:15:48.414Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.18", "status": "affected", "version": "11.0.16", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.51", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.114", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Configured cipher preference order not preserved vulnerability in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.</p><p>Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.</p>"}], "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "Configured cipher preference order not preserved", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:19:40.645Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: TLS cipher order is not preserved", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:48.414Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Configured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue."}], "id": "CVE-2026-29129", "lastModified": "2026-04-10T00:16:34.673", "metrics": {}, "published": "2026-04-09T20:16:24.343", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/22"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Configured cipher preference order not preserved", "id": "2457031", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457031"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-15", "details": ["A flaw was found in Apache Tomcat. This vulnerability occurs when the configured cipher preference order is not preserved. This could allow an attacker to bypass intended security configurations, potentially leading to a weakened security posture or information disclosure."], "mitigation": {"lang": "en:us", "value": "Configure Apache Tomcat to explicitly allow only strong cipher suites. This ensures that even if the preference order is not strictly honored, only secure ciphers are utilized for TLS connections.\nEdit the `server.xml` file, typically located at `/etc/tomcat/server.xml` or `/opt/tomcat/conf/server.xml`, and modify the `<Connector>` element to include a `ciphers` attribute listing only approved strong cipher suites. For example:\n`<Connector port=\"8443\" protocol=\"org.apache.coyote.http11.Http11NioProtocol\" SSLEnabled=\"true\" scheme=\"https\" secure=\"true\" clientAuth=\"false\" sslProtocol=\"TLSv1.2+TLSv1.3\" ciphers=\"TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256\"/>`\nReplace the example cipher list with a comprehensive set of strong ciphers appropriate for your environment. This may impact compatibility with older clients that do not support the specified strong cipher suites.\nA restart of the Apache Tomcat service is required for the changes to take effect. Use the command `systemctl restart tomcat` or `systemctl restart tomcat9` depending on your installed package."}, "name": "CVE-2026-29129", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:19:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29129\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29129\nhttps://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f"], "statement": "Low impact. A flaw in Apache Tomcat allows the configured cipher preference order to be bypassed. This could lead to a server using a weaker cipher than intended, potentially reducing the security posture of TLS connections. This affects Red Hat Enterprise Linux systems running Apache Tomcat.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.16,11.0.18]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.51,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.114,9.0.115]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T20:51:44.562400+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to a fixed release: 11.0.20 or newer, 10.1.53 or newer, or 9.0.116 or newer. Verification steps include confirming that the cipher order configuration is honored after the update."], "summary": {"action": "Immediate Patch", "impact": "Cipher Suite Downgrade"}, "threat_synthesis": {"affected_systems": "The issue affects Apache Tomcat releases 11.0.16 through 11.0.18, 10.1.51 through 10.1.52, and 9.0.114 through 9.0.115. All deployments using one of these affected versions are vulnerable regardless of other configuration settings.", "description_and_impact": "The vulnerability arises because Apache Tomcat does not preserve the configured cipher preference order during a TLS handshake. This oversight can cause a client\u2011selected cipher suite that is weaker than the server\u2019s intended choice, potentially enabling downgrade attacks or exposure of encrypted traffic. Server administrators rely on the specified cipher order to enforce the use of strong cryptographic algorithms; failure to honor the order undermines the confidentiality and integrity guarantees of TLS connections.", "risk_and_exploitability": "The CVSS score is not provided, but the nature of the flaw allows an attacker to force the use of a weaker cipher suite, which can be exploited to intercept or tamper with SSL/TLS traffic. EPSS information is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a network\u2011bound TLS connection, where an adversary can supply a handshake that leverages the misorder of cipher suites. Because the flaw is in the server\u2019s handling of cryptographic preferences, the attack does not require privileged access and can be performed remotely against any exposed Tomcat instance."}}}}, "created": "2026-04-10T08:38:57.484753+00:00", "updated": "2026-04-10T09:29:42.420201+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"], "weaknesses": ["CWE-284"]}