Urgent Alert: Critical Apache Tomcat Flaws Demand Immediate Patching

ByAdmin April 15, 2026April 15, 2026

The Apache Software Foundation has released emergency security updates to address multiple severe vulnerabilities in Apache Tomcat, urging administrators to update their deployments immediately to secure environments against potential exploitation.

The latest advisories highlight a critical patching error that inadvertently exposed Apache Tomcat servers to an interception bypass, as well as issues affecting certificate authentication and padding-oracle attacks.

EncryptInterceptor Bypass and Padding Oracle Attacks

Most of the critical issues affecting Apache Tomcat stem from a flawed security patch. Initially, security researchers discovered CVE-2026-29146, an “Important” severity flaw where the EncryptInterceptor used Cipher Block Chaining (CBC) by default. This configuration left the server vulnerable to a padding oracle attack, potentially allowing malicious actors to decrypt intercepted traffic.

Oligo Security researchers Uri Katz and Avi Lumelsky identified and reported this initial cryptographic weakness in Apache Tomcat. To resolve the padding oracle threat, Apache released an initial round of updates.

However, this fix inadvertently introduced a new, equally severe vulnerability tracked as CVE-2026-34486.

Identified by Bartlomiej Dmitruk from striga.ai, this subsequent flaw allowed attackers to bypass the EncryptInterceptor completely. Because the initial patch was defective, organizations running the intermediary update versions of Apache Tomcat are currently exposed to this bypass mechanism.

OCSP Certificate Validation Failure (CVE-2026-34500)

Alongside the EncryptInterceptor issues, Apache addressed a “Moderate” severity vulnerability tracked as CVE-2026-34500. This flaw impacts the Online Certificate Status Protocol (OCSP) checks within Apache Tomcat. Under specific conditions, when the Foreign Function and Memory (FFM) API is used, the system experiences a soft fail during OCSP validation, even if the administrator explicitly disabled soft-failing.

Consequently, CLIENT_CERT authentication does not fail as expected, creating unexpected authentication behaviors that could compromise access controls. Haruki Oyama from Waseda University discovered and reported this certificate validation error in Apache Tomcat.

Affected Apache Tomcat Versions

These vulnerabilities impact multiple branches of Apache Tomcat. The flawed patch that allows the EncryptInterceptor bypass (CVE-2026-34486) specifically affects these exact releases:

Apache Tomcat 11.0.20
Apache Tomcat 10.1.53
Apache Tomcat 9.0.116

The broader vulnerabilities, including the initial padding oracle attack and the certificate validation failures, impact a wider range of earlier Apache Tomcat versions:

Apache Tomcat 11.0.0-M1 through 11.0.20
Apache Tomcat 10.1.0-M1 through 10.1.53
Apache Tomcat 9.0.13 through 9.0.116

Immediate Action Required: Update Your Apache Tomcat Deployments

To resolve all three critical vulnerabilities, including the flawed EncryptInterceptor patch and the OCSP certificate validation failure, administrators must upgrade their systems to the latest secure releases. The Apache Software Foundation strongly recommends applying the following updates:

Upgrade Apache Tomcat 11.x deployments to version 11.0.21 or later
Upgrade Apache Tomcat 10.x deployments to version 10.1.54 or later
Upgrade Apache Tomcat 9.x deployments to version 9.0.117 or later

Organizations running older, End-of-Life (EOL) versions of Apache Tomcat should migrate to a supported branch immediately, as these legacy systems will not receive patches for the padding oracle attack or subsequent bypass flaws, leaving them exposed to severe risks.

Zero-Day Exploits | Browser Security | Cybersecurity

Urgent: Chrome Emergency Patch Deploys Against Active Zero-Day Exploit
ByAdmin April 6, 2026April 6, 2026

Google has issued a critical Chrome emergency patch for its Chrome browser, addressing a severe zero-day vulnerability (CVE-2026-5281) that is currently being actively exploited in the wild. This urgent update brings the Stable channel to version 146.0.7680.177/178 for Windows and Mac, and 146.0.7680.177 for Linux. Users are strongly advised to update their browsers immediately as…

Read More Urgent: Chrome Emergency Patch Deploys Against Active Zero-Day Exploit
Cybersecurity | Phishing | Threat Intelligence

Urgent Warning: Sophisticated Fake Microsoft Teams Attacks Threaten Organizations
ByAdmin April 14, 2026April 14, 2026

Cybercriminals are launching a sophisticated new wave of attacks using fake Microsoft Teams domains. According to recent threat intelligence shared by SEAL Org, hackers are actively tricking corporate users into downloading malicious payloads by mimicking the widely used communication platform. As Microsoft Teams remains an essential tool for remote and hybrid work environments, threat actors…

Read More Urgent Warning: Sophisticated Fake Microsoft Teams Attacks Threaten Organizations
Cybersecurity | Nginx | Vulnerability Alerts

Urgent Warning: Critical Nginx-UI Flaw Explosed, Enabling Full System Compromise
ByAdmin April 6, 2026April 6, 2026

Critical Nginx-UI Flaw (CVE-2026-33026) Exposes Systems to Full Compromise A severe security vulnerability, tracked as CVE-2026-33026, has been disclosed in the Nginx-UI backup restore mechanism. This critical flaw allows threat actors to manipulate encrypted backup archives and inject malicious configurations during the restoration process, putting unpatched deployments at immediate risk of full system compromise. With…

Read More Urgent Warning: Critical Nginx-UI Flaw Explosed, Enabling Full System Compromise
Cybersecurity | Fortinet | Vulnerability | Zero-Day

Urgent Warning: Critical Fortinet FortiClient EMS Zero-Day Actively Exploited
ByAdmin April 14, 2026April 14, 2026

Fortinet has issued an emergency hotfix following the disclosure of a critical zero-day vulnerability in its FortiClient EMS product. This flaw, actively exploited by threat actors in the wild, poses a severe risk to organizations, particularly those with internet-exposed deployments of FortiClient EMS. Understanding the Critical FortiClient EMS Zero-Day Tracked as CVE-2026-35616 and assigned a…

Read More Urgent Warning: Critical Fortinet FortiClient EMS Zero-Day Actively Exploited
Cybersecurity | Enterprise Security | Network Security | Vulnerability

Urgent Warning: Critical F5 BIG-IP APM Flaw Actively Exploited, Thousands at Grave Risk
ByAdmin April 14, 2026April 14, 2026

A critical security flaw in F5’s BIG-IP Access Policy Manager (APM) is currently under active exploitation, leaving thousands of enterprise networks at risk. This vulnerability, officially tracked as CVE-2025-53521, has sparked urgent warnings across the cybersecurity community after its impact was upgraded from a standard Denial-of-Service (DoS) to a severe Remote Code Execution (RCE) flaw….

Read More Urgent Warning: Critical F5 BIG-IP APM Flaw Actively Exploited, Thousands at Grave Risk
Cybersecurity | Cisco | Vulnerability Alerts

Urgent Warning: Critical Cisco SSM On-Prem Vulnerability Demands Immediate Action
ByAdmin April 14, 2026April 14, 2026

Urgent Cisco Security Alert: Critical SSM On-Prem Flaw Exposed Cisco has issued an urgent security warning regarding a critical vulnerability within its Smart Software Manager On-Prem (SSM On-Prem) platform. This widely-used tool, essential for managing Cisco software licenses locally in enterprise organizations, faces a severe threat. Tracked as CVE-2026-20160, this flaw carries a near-perfect CVSS…

Read More Urgent Warning: Critical Cisco SSM On-Prem Vulnerability Demands Immediate Action