Apache Tomcat Suffers Critical Padding Oracle Vulnerability
CVE Notify is flagging a serious Padding Oracle vulnerability impacting multiple versions of Apache Tomcat. The issue resides within the EncryptInterceptor component when it’s running with its default configuration. This isn’t just a minor glitch; a Padding Oracle attack can allow an adversary to decrypt sensitive information transmitted through the affected Tomcat instances.
According to CVE Notify, the vulnerability affects a wide range of Tomcat versions, including those from 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. This broad impact means many organizations could be exposed if they haven’t patched their Tomcat deployments.
To address this, CVE Notify strongly recommends upgrading to patched versions. Specifically, users should move to Tomcat 11.0.19, 10.1.53, or 9.0.116. Given the potential for data decryption, prompt patching is essential for securing web applications and sensitive data hosted on these servers.
What This Means For You
- Organizations using Apache Tomcat should immediately audit their deployments for the affected versions and prioritize upgrading to the patched releases (11.0.19, 10.1.53, or 9.0.116) to mitigate the risk of sensitive data decryption via Padding Oracle attacks.
Related ATT&CK Techniques
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-29146 | Cryptographic Failure | Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, 7.0.100 through 7.0.109. Vulnerability in EncryptInterceptor with default configuration. |