{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29146", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-04T10:35:55.231Z", "datePublished": "2026-04-09T19:21:57.289Z", "dateUpdated": "2026-04-09T23:15:51.111Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.18", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.13", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "affected", "version": "8.5.38", "versionType": "semver"}, {"lessThanOrEqual": "7.0.109", "status": "affected", "version": "7.0.100", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Uri Katz and Avi Lumelsky (Oligo Security)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.</p><p>Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.</p>"}], "value": "Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "Padding Oracle", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:21:57.289Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:51.111Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue."}], "id": "CVE-2026-29146", "lastModified": "2026-04-10T00:16:34.913", "metrics": {}, "published": "2026-04-09T20:16:24.577", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received"}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor", "id": "2457020", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457020"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-1240", "details": ["A flaw was found in Apache Tomcat. This Padding Oracle vulnerability, present in the EncryptInterceptor with its default configuration, could allow a remote attacker to decrypt sensitive information. By exploiting weaknesses in the encryption padding, an attacker may be able to gain unauthorized access to data that should remain confidential."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-29146", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:21:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29146\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29146\nhttps://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"], "statement": "Important: A padding oracle vulnerability exists in Apache Tomcat's EncryptInterceptor when using its default configuration. This flaw could allow a remote attacker to decrypt sensitive information by exploiting weaknesses in the encryption padding. Red Hat products utilizing Apache Tomcat with the EncryptInterceptor in its default configuration are affected.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M1,11.0.18]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0.0-M1,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.13,9.0.115]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.5.38,8.5.100]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.100,7.0.109]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T20:51:13.055740+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to version 11.0.19, 10.1.53, 9.0.116, or any newer release that contains the fix."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality Breach via Decryption"}, "threat_synthesis": {"affected_systems": "The issue is present in Apache Tomcat versions from 7.0.100 up to 7.0.109, 8.5.38 to 8.5.100, 9.0.13 to 9.0.115, 10.0.0-M1 to 10.1.52, and 11.0.0-M1 to 11.0.18. Upgrading to Tomcat 11.0.19, 10.1.53, or 9.0.116, or later releases, removes the vulnerability. Only systems running the affected range with the EncryptInterceptor active in its default mode are impacted.", "description_and_impact": "Padding oracle vulnerability was discovered in Apache Tomcat\u2019s EncryptInterceptor when it is enabled with default configuration. The flaw allows an attacker who can influence the encrypted data to discover the padding used during decryption, and by sending a sequence of crafted requests can gradually learn the plaintext or determine valid padding. This can expose sensitive information stored in session cookies or other data that the interceptor encrypts, leading to a confidentiality breach. The weakness corresponds to improper handling of cryptographic padding and can be classified under cryptographic failures that enable decryption of protected data.", "risk_and_exploitability": "The CVSS score is not provided in the available data, and the EPSS score is unavailable. Because the vulnerability requires only the ability to submit requests to the interceptor, the attack vector is most likely over HTTP or HTTPS, and the attacker does not need privileged access. The lack of publicly available exploitation scripts suggests that active exploitation may be limited, yet the potential for decryption of confidential data makes the risk significant for exposed applications. The vulnerability is not listed in the KEV catalog, but its impact on data confidentiality warrants immediate attention."}}}}, "created": "2026-04-10T08:38:55.553590+00:00", "updated": "2026-04-10T09:29:40.479510+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}