CVE-2026-29146

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

09/04/2026

Last modified:

10/04/2026

Description

Padding Oracle vulnerability in Apache Tomcat&#39;s EncryptInterceptor with default configuration.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.<br /> <br /> Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Impact

References to Advisories, Solutions, and Tools

https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
http://www.openwall.com/lists/oss-security/2026/04/09/24