DNA View

High Severity Vulnerability

This vulnerability has been rated as High severity. Immediate action is recommended.

CVE-2026-34486

High

Low Medium High Critical

7.5

CVSS Score

Published: Apr 09, 2026

Last Modified: Apr 14, 2026

CWE: CWE-311

Vulnerability Description

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Known Affected Software

3 configuration(s) from 1 vendor(s)

tomcat

Version:

10.1.53

CPE:

cpe:2.3:a:apache:tomcat:10.1.53:*:*:*:*:*:*:*

tomcat

Version:

11.0.20

CPE:

cpe:2.3:a:apache:tomcat:11.0.20:*:*:*:*:*:*:*

tomcat

Version:

9.0.116

CPE:

cpe:2.3:a:apache:tomcat:9.0.116:*:*:*:*:*:*:*

This vulnerability affects 3 software configuration(s). Ensure you patch all affected systems.

Available Security Patches

1 patch available from vendors

View All Patches

SUSE

CVE-2026-34486

Severity

Unknown

Released

Apr 16, 2026

Security Update

View Details Vendor Page

Browse All Security Patches

References & Resources

https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly
security@apache.org Mailing List Vendor Advisory

Severity Details

7.5

out of 10.0

High

Weakness Type (CWE)

CWE-311

Missing Encryption of Sensitive Data

Description: The product does not encrypt sensitive or critical information before storage or transmission.
Exploit Likelihood: High
Typical Severity: Medium
Abstraction Level: Class