CVE-2026-29146: Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor

April 9, 2026 (updated April 10, 2026)

Padding Oracle vulnerability in Apache Tomcat’s EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

References

github.com/advisories/GHSA-h468-7pvh-8vr8
github.com/apache/tomcat
lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
nvd.nist.gov/vuln/detail/CVE-2026-29146

Code Behaviors & Features

Detect and mitigate CVE-2026-29146 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →