Apache Tomcat fixes EncryptInterceptor bypass and related security flaws

Apache Tomcat users need to patch again if they updated last month for the EncryptInterceptor issue. Apache has now disclosed that the earlier fix for CVE-2026-29146 introduced a new flaw, CVE-2026-34486, which can let attackers bypass the EncryptInterceptor entirely in specific Tomcat releases.

The newly disclosed bypass affects Apache Tomcat 11.0.20, 10.1.53, and 9.0.116. Apache and NVD both recommend upgrading to 11.0.21, 10.1.54, or 9.0.117 to fix it.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This matters because CVE-2026-34486 is not a separate, unrelated bug. It exists because the fix for CVE-2026-29146, a padding oracle issue in Tomcat’s EncryptInterceptor, turned out to be incomplete. In other words, some servers that patched quickly in March still need another update in April.

What went wrong with EncryptInterceptor

The original issue, CVE-2026-29146, affected Tomcat’s EncryptInterceptor when it used CBC mode by default. Apache described that flaw as an “Important” vulnerability because a padding oracle attack could let an attacker decrypt intercepted traffic under the right conditions.

Apache first addressed that issue in Tomcat 11.0.20, 10.1.53, and 9.0.116. But the follow-up advisory says that fix introduced CVE-2026-34486, which allowed the EncryptInterceptor to be bypassed in exactly those patched versions.

So the practical message for admins is simple. If you upgraded only to 11.0.20, 10.1.53, or 9.0.116 to deal with the padding oracle flaw, you are not fully protected yet. You need the newer April releases.

Another flaw affects certificate validation

Apache also disclosed CVE-2026-34500, a separate Moderate-severity issue involving OCSP checks in CLIENT_CERT authentication. Apache says that in some scenarios, when the Foreign Function and Memory API is used, OCSP checks could soft-fail even when soft-fail was explicitly disabled.

That means certificate-based authentication might not fail when it should. Apache lists the affected supported ranges as 11.0.0-M14 to 11.0.20, 10.1.22 to 10.1.53, and 9.0.92 to 9.0.116. The fix landed in 11.0.21, 10.1.54, and 9.0.117.

This flaw sits apart from the EncryptInterceptor issues, but it reinforces the same point. Admins should not treat the April Tomcat releases as optional cleanup. They close real security gaps that remained after the March updates.

Affected and fixed versions

The supported-branch version data comes from Apache’s Tomcat security pages and NVD. NVD also notes older unsupported 8.5.x and 7.0.x exposure for CVE-2026-29146.

What admins should do now

• Upgrade Tomcat 11.x to 11.0.21 or later.
• Upgrade Tomcat 10.1.x to 10.1.54 or later.
• Upgrade Tomcat 9.0.x to 9.0.117 or later.
• Do not stop at 11.0.20, 10.1.53, or 9.0.116 if you patched for EncryptInterceptor in March. Those exact builds are affected by the bypass flaw.
• Plan migration away from unsupported Tomcat branches because older EOL releases will not receive normal supported-branch fixes. NVD still lists unsupported 8.5.x and 7.0.x exposure for CVE-2026-29146.

FAQ