April 30th, 2026

Padding Oracle Vulnerability in Apache Tomcat EncryptInterceptor (CVE-2026-29146)

High

Our Cyber Threat Intelligence Unit is monitoring a high-severity vulnerability in Apache Tomcat, CVE-2026-29146. Disclosed in April 2026, this issue affects the EncryptInterceptor component, which secures communication between nodes in Tomcat clusters. By default, EncryptInterceptor uses Cipher Block Chaining (CBC) mode, making cluster traffic vulnerable to padding oracle attacks. Attackers with access to the cluster communication channel can decrypt intercepted traffic without the encryption key. Organizations using clustered Tomcat deployments risk compromised confidentiality and integrity of inter-node communications. Initial patch releases (11.0.19, 10.1.53, 9.0.116) introduced a separate vulnerability, CVE-2026-34486, which allows complete bypass of EncryptInterceptor. Upgrading to these intermediary versions does not resolve the issue. Promptly upgrade to the correct fixed versions and ensure secure network configuration to reduce exposure.

Technical Details

CVE ID: CVE-2026-29146
- Score: 7.5 (CISA-ADP)
Severity: High
Vulnerability Type: Padding Oracle Attack
Attack Vector: Network-based; targets Tomcat inter-node cluster communication
Affected Versions:
- Apache Tomcat 11.x: 11.0.0-M1 through 11.0.18
- Apache Tomcat 10.x: 10.0.0-M1 through 10.1.52
- Apache Tomcat 9.x: 9.0.13 through 9.0.115
- Apache Tomcat 8.5.x: 8.5.38 through 8.5.100
- Apache Tomcat 7.x: 7.0.100 through 7.0.109
Fixed Versions:
- Apache Tomcat 11.x: 11.0.21 or later
- Apache Tomcat 10.x: 10.1.54 or later
- Apache Tomcat 9.x: 9.0.117 or later
- Apache Tomcat 8.5.x: No patch available (EOL)
- Apache Tomcat 7.x: No patch available (EOL)

Note: Intermediary patch versions 11.0.19, 10.1.53, and 9.0.116 should not be treated as safe. These releases contained a defective fix that introduced CVE-2026-34486, a separate vulnerability that allows a complete bypass of the EncryptInterceptor. Organizations must upgrade directly to 11.0.21+, 10.1.54+, or 9.0.117+.

Vulnerability Description:
- CVE-2026-29146 exists in the EncryptInterceptor component of Apache Tomcat's clustering implementation.
- In its default configuration, EncryptInterceptor applies CBC mode encryption to inter-node cluster traffic.
- CBC mode is susceptible to padding oracle attacks when the implementation does not handle decryption errors in a way that prevents an attacker from inferring plaintext from error responses.
- The vulnerability was identified by Oligo Security researchers Uri Katz and Avi Lumelsky.
Attack Chain:
- The attacker gains access to the internal network segment carrying Tomcat cluster communication traffic.
- The attacker monitors inter-node traffic to observe encrypted messages exchanged between cluster members.
- Using the padding oracle technique, the attacker submits crafted ciphertext blocks to the cluster and observes how nodes respond to decryption errors.
- Differential error responses allow the attacker to iteratively recover plaintext without possessing the encryption key.
- Depending on the sensitivity of the data in cluster traffic, the attacker may recover session state, application data, or authentication material transmitted between nodes.

Note: Exploitation does not require authentication. It does require network-level access to the cluster communication channel. Environments with insufficient internal network segmentation or exposed cluster ports face elevated risk.

Impact

Successful exploitation of CVE-2026-29146 may result in:

Decryption of sensitive data transmitted between Tomcat cluster nodes, including session state and application-layer content.
Unauthorized modification or injection of cluster communication messages if decrypted content is used to craft forged traffic.
Breakdown of trust between clustered nodes as a result of manipulated inter-node traffic.
Downstream application-level impact, depending on how cluster messages are consumed by the application.

Detection Method

Organizations should consider the following detection and monitoring actions:

Monitor Tomcat logs for errors or anomalies associated with EncryptInterceptor or cluster communication processing, particularly repeated cryptographic or padding-related error messages, which may indicate active oracle probing.
Inspect network traffic for abnormal or malformed inter-node cluster communication, including unusual traffic volumes or unexpected source addresses communicating on cluster ports.
Identify unexpected or unauthorized systems communicating with cluster nodes.
Audit firewall and network segmentation rules to confirm cluster communication ports are not accessible from untrusted network segments.
Correlate application and network logs for anomalies in clustered environments that may indicate reconnaissance or active exploitation attempts.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Patch to the correct fixed version immediately:
- Upgrade to 11.0.21+, 10.1.54+, or 9.0.117+.
- Do not treat 11.0.19, 10.1.53, or 9.0.116 as safe; these versions contain CVE-2026-34486, which allows full EncryptInterceptor bypass.
- Organizations running EOL Tomcat 8.5.x or 7.0.x branches have no available patch, and face sustained exposure until migration to a supported version is completed.
Migrate EOL deployments:
- Organizations running Apache Tomcat 8.5.x or 7.0.x must migrate to a supported branch, as no patches are available for those versions.
Restrict cluster communication channels:
- Confirm that cluster traffic is limited to trusted internal networks and is not reachable from untrusted hosts or external networks. Firewall rules should restrict access to cluster communication ports to only those systems that require it.
Disable clustering if not required:
- If Tomcat clustering or EncryptInterceptor is not actively used, disable the feature to eliminate the attack surface.
Enforce network segmentation:
- Isolate application tiers and restrict lateral movement paths within environments hosting Tomcat clusters.
Implement TLS for cluster communication:
- Where clustering is required, supplement EncryptInterceptor with TLS-based transport controls to add a layer of protection to inter-node traffic.
Monitor continuously:
- Track cluster communication behavior and investigate anomalies, particularly repeated decryption errors, which may indicate active padding oracle probing.

Conclusion

CVE-2026-29146 is a high-severity padding oracle vulnerability in Apache Tomcat's EncryptInterceptor component, caused by the default use of CBC mode. Exploitation requires network access to the cluster communication channel, but it may allow attackers to decrypt sensitive inter-node traffic and compromise the integrity of clustered applications. Organizations should upgrade directly to versions 11.0.21, 10.1.54, or 9.0.117, skipping intermediary patch releases that introduced a bypass vulnerability. Deployments on unsupported 8.5.x or 7.0.x branches should prioritize migration. Restrict cluster communication to trusted internal segments and maintain layered transport controls, regardless of patch status.

References

https://cybersecuritynews.com/apache-tomcat-vulnerabilities-encryptinterceptor/

https://nvd.nist.gov/vuln/detail/CVE-2026-29146

https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w

https://access.redhat.com/security/cve/cve-2026-29146

https://nvd.nist.gov/vuln/detail/CVE-2026-34486