{"schema_version":"1.7.2","id":"OESA-2026-1970","modified":"2026-04-17T13:02:58Z","published":"2026-04-17T13:02:58Z","upstream":["CVE-2026-24880","CVE-2026-25854","CVE-2026-29129","CVE-2026-29145","CVE-2026-29146","CVE-2026-32990","CVE-2026-34483","CVE-2026-34486","CVE-2026-34487","CVE-2026-34500"],"summary":"tomcat security update","details":"Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.\r\n\r\nSecurity Fix(es):\n\nInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\nOther, unsupported versions may also be affected.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.(CVE-2026-24880)\n\nOccasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\nOther, unsupported versions may also be affected\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-25854)\n\nConfigured cipher preference order not preserved vulnerability in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-29129)\n\nCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.(CVE-2026-29145)\n\nPadding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.(CVE-2026-29146)\n\nImproper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\n\nThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\n\nUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-32990)\n\nImproper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.(CVE-2026-34483)\n\nMissing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.\n\nThis issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34486)\n\nInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34487)\n\nCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.(CVE-2026-34500)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP3","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2403sp3"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2403sp3.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp3.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp3.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2403sp3.src.rpm"]}},{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2003sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2003sp4.noarch.rpm","tomcat-help-9.0.117-1.oe2003sp4.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2003sp4.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2003sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:22.03-LTS-SP4","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2203sp4"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2203sp4.noarch.rpm","tomcat-help-9.0.117-1.oe2203sp4.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2203sp4.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2203sp4.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2403sp2"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2403sp3.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp3.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp3.noarch.rpm","tomcat-9.0.117-1.oe2403.noarch.rpm","tomcat-help-9.0.117-1.oe2403.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403.noarch.rpm","tomcat-9.0.117-1.oe2403sp1.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp1.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp1.noarch.rpm","tomcat-9.0.117-1.oe2403sp2.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp2.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp2.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2403sp3.src.rpm","tomcat-9.0.117-1.oe2403.src.rpm","tomcat-9.0.117-1.oe2403sp1.src.rpm","tomcat-9.0.117-1.oe2403sp2.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2403sp1.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp1.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp1.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2403sp1.src.rpm"]}},{"package":{"ecosystem":"openEuler:24.03-LTS-SP2","name":"tomcat","purl":"pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.oe2403sp2"}]}],"ecosystem_specific":{"noarch":["tomcat-9.0.117-1.oe2403sp2.noarch.rpm","tomcat-help-9.0.117-1.oe2403sp2.noarch.rpm","tomcat-jsvc-9.0.117-1.oe2403sp2.noarch.rpm"],"src":["tomcat-9.0.117-1.oe2403sp2.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24880"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25854"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29129"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29145"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29146"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32990"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34483"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34486"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34487"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34500"}],"database_specific":{"severity":"Critical"}}