OESA-2026-1970

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1970
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2026-1970
Upstream
  • CVE-2026-24880
  • CVE-2026-25854
  • CVE-2026-29129
  • CVE-2026-29145
  • CVE-2026-29146
  • CVE-2026-32990
  • CVE-2026-34483
  • CVE-2026-34486
  • CVE-2026-34487
  • CVE-2026-34500
Published
2026-04-17T13:02:58Z
Modified
2026-04-17T13:20:45.837660Z
Summary
tomcat security update
Details

Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process.

Security Fix(es):

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.(CVE-2026-24880)

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-25854)

Configured cipher preference order not preserved vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-29129)

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.(CVE-2026-29145)

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.(CVE-2026-29146)

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-32990)

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.(CVE-2026-34483)

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor.

This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34486)

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34487)

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.(CVE-2026-34500)

Database specific 
{
    "severity": "Critical"
}
References

Affected packages

openEuler:20.03-LTS-SP4
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-20.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2003sp4

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2003sp4.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2003sp4.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2003sp4.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2003sp4.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"
openEuler:22.03-LTS-SP4
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-22.03-LTS-SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2203sp4

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2203sp4.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2203sp4.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2203sp4.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2203sp4.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"
openEuler:24.03-LTS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2403sp2

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2403sp3.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp3.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp3.noarch.rpm",
        "tomcat-9.0.117-1.oe2403.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403.noarch.rpm",
        "tomcat-9.0.117-1.oe2403sp1.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp1.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp1.noarch.rpm",
        "tomcat-9.0.117-1.oe2403sp2.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp2.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp2.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2403sp3.src.rpm",
        "tomcat-9.0.117-1.oe2403.src.rpm",
        "tomcat-9.0.117-1.oe2403sp1.src.rpm",
        "tomcat-9.0.117-1.oe2403sp2.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"
openEuler:24.03-LTS-SP1
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2403sp1

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2403sp1.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp1.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp1.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2403sp1.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"
openEuler:24.03-LTS-SP2
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2403sp2

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2403sp2.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp2.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp2.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2403sp2.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"
openEuler:24.03-LTS-SP3
tomcat

Package

Name
tomcat
Purl
pkg:rpm/openEuler/tomcat&distro=openEuler-24.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-1.oe2403sp3

Ecosystem specific 

{
    "noarch": [
        "tomcat-9.0.117-1.oe2403sp3.noarch.rpm",
        "tomcat-help-9.0.117-1.oe2403sp3.noarch.rpm",
        "tomcat-jsvc-9.0.117-1.oe2403sp3.noarch.rpm"
    ],
    "src": [
        "tomcat-9.0.117-1.oe2403sp3.src.rpm"
    ]
}

Database specific

source 
"https://repo.openeuler.org/security/data/osv/OESA-2026-1970.json"