CVE-2026-29146
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.
A high-severity vulnerability (CVE-2026-29146) has been identified in Apache Tomcat's EncryptInterceptor component, which is used to encrypt cluster communication between Tomcat instances. By default, the EncryptInterceptor uses AES/CBC/PKCS5Padding, a cipher mode that is vulnerable to padding oracle attacks. An attacker who can intercept cluster traffic could potentially exploit timing and error differences in CBC padding validation to decrypt encrypted messages.
Per OWASP: Incorrectly Configured Access Control occurs when security controls are not properly configured, leading to weakened security postures. In this case, the default encryption algorithm selection provides insufficient protection against cryptographic attacks on inter-node cluster communication.
This issue affects versions 7.0.100 through 7.0.109, 8.5.38 through 8.5.100, 9.0.13 through 9.0.115, 10.0.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18 of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-tribes
- Affected versions: >=7.0.100 <=7.0.109, >=8.5.38 <=8.5.100, >=9.0.13 <=9.0.115, >=10.0.0-M1 <=10.1.52, >=11.0.0-M1 <=11.0.18
- GitHub repository: https://github.com/apache/tomcat
- Published packages: https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-tribes/
- Package manager: Maven
- Fixed in:
- NES for Apache Tomcat
- Apache Tomcat 11.0.20, 10.1.53, 9.0.116 (OSS)
Vulnerability Info
The vulnerability exists in EncryptInterceptor.java, which handles encryption of cluster communication between Tomcat instances. The default encryption algorithm is AES/CBC/PKCS5Padding for backwards compatibility while AES/GCM/NoPadding is recommended.
CBC (Cipher Block Chaining) mode with PKCS5 padding is known to be vulnerable to padding oracle attacks. In a padding oracle attack, an attacker can determine whether decrypted data has valid padding by observing the application's behavior (error responses, timing differences). By iteratively modifying ciphertext blocks and observing the oracle's responses, the attacker can decrypt the entire message without knowing the encryption key.
The fix updates the documentation and comments to note that while AES/CBC/PKCS5Padding remains the default for backwards compatibility, AES/GCM/NoPadding is the recommended algorithm. The fix also adds comprehensive validation of cipher algorithm modes, blocking insecure modes (NONE, ECB, PCBC, CTS, KW, KWP, CTR) and logging a warning when CBC-based modes are used, recommending users switch to AES/GCM/NoPadding.
The EncryptInterceptor was first introduced in Tomcat 8.5.38 (February 2019) and backported to Tomcat 7.0.100, which is why versions prior to those are not affected.
Note: The initial fix for this CVE introduced a regression (CVE-2026-34486) in Tomcat 9.0.116 that allowed the EncryptInterceptor to be bypassed entirely. This was corrected in Tomcat 9.0.117.
Mitigation
Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Uri Katz and Avi Lumelsky from Oligo Security (finders)
