Critical Apache Tomcat Vulnerabilities Expose Servers to Encryption Bypass and Padding Oracle Attacks
The Apache Software Foundation has recently issued urgent security updates to address multiple vulnerabilities in Apache Tomcat, a widely used open-source Java servlet container. These vulnerabilities include a critical patching error that inadvertently exposed servers to encryption bypasses, as well as issues affecting certificate authentication and susceptibility to padding oracle attacks. Administrators are strongly advised to update their deployments immediately to mitigate potential exploitation risks.
EncryptInterceptor Bypass and Padding Oracle Attacks
The most pressing concern arises from a flawed security patch. Initially, security researchers identified CVE-2026-29146, an Important severity flaw where the EncryptInterceptor utilized Cipher Block Chaining (CBC) mode by default. This configuration rendered the server vulnerable to padding oracle attacks, potentially allowing malicious actors to decrypt intercepted traffic.
Researchers Uri Katz and Avi Lumelsky from Oligo Security discovered and reported this cryptographic weakness. To address the padding oracle threat, Apache released an initial round of updates.
However, the fix introduced a new, equally severe vulnerability tracked as CVE-2026-34486. Identified by Bartlomiej Dmitruk from striga.ai, this subsequent flaw allowed attackers to completely bypass the EncryptInterceptor. Due to the defective initial patch, organizations running the intermediary update versions are currently exposed to this bypass mechanism.
Certificate Validation Flaws
In addition to the EncryptInterceptor issues, Apache addressed a Moderate severity vulnerability tracked as CVE-2026-34500. This flaw impacts the Online Certificate Status Protocol (OCSP) checks within Tomcat. Under specific conditions, when the Foreign Function and Memory (FFM) API is used, the system experiences a soft fail during OCSP validation, even if the administrator explicitly disabled soft-failing. Consequently, CLIENT_CERT authentication does not fail as expected, leading to unexpected authentication behaviors that could compromise access controls.
Haruki Oyama from Waseda University discovered and reported this certificate validation error.
Affected Versions
The vulnerabilities impact multiple branches of Apache Tomcat. The flawed patch that allows the EncryptInterceptor bypass (CVE-2026-34486) specifically affects the following releases:
– Apache Tomcat 11.0.20
– Apache Tomcat 10.1.53
– Apache Tomcat 9.0.116
The broader vulnerabilities, including the initial padding oracle attack and the certificate validation failures, affect a wider range of earlier versions:
– Apache Tomcat 11.0.0-M1 through 11.0.20
– Apache Tomcat 10.1.0-M1 through 10.1.53
– Apache Tomcat 9.0.13 through 9.0.116
Recommended Actions
To resolve all three vulnerabilities, including the flawed EncryptInterceptor patch and the OCSP certificate validation failure, administrators must upgrade their systems to the latest secure releases. The Apache Software Foundation strongly recommends applying the following updates:
– Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later
– Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later
– Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later
Organizations running older, End-of-Life (EOL) versions of Tomcat should migrate to a supported branch immediately, as these legacy systems will not receive patches for the padding oracle attack or subsequent bypass flaws.
