Home

Description

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

PUBLISHED Reserved 2026-03-04 | Published 2026-04-09 | Updated 2026-04-10 | Assigner apache

Problem types

Padding Oracle

Product status

Default status
unaffected

11.0.0-M1 (semver)
affected

10.0.0-M1 (semver)
affected

9.0.13 (semver)
affected

8.5.38 (semver)
affected

7.0.100 (semver)
affected

Credits

Uri Katz and Avi Lumelsky (Oligo Security) finder

References

www.openwall.com/lists/oss-security/2026/04/09/24

lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w vendor-advisory

cve.org (CVE-2026-29146)

nvd.nist.gov (CVE-2026-29146)

Download JSON