Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

The version of tomcat installed on the remote host is prior to 9.0.117-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2026-025 advisory.

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache     Tomcat via invalid chunk extension.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from     9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.Other, unsupported     versions may also be affected.

    Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
    (CVE-2026-24880)

    Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the     LoadBalancerDrainingValve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from     9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.Other, unsupported versions may also be affected

    Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
    (CVE-2026-25854)

    Configured cipher preference order not preserved vulnerability in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114     through 9.0.115.

    Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
    (CVE-2026-29129)

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled     vulnerability in Apache Tomcat, Apache Tomcat Native.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from     9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from     1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

    Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and     9.0.116, which fix the issue. (CVE-2026-29145)

    Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from     9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

    Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
    (CVE-2026-29146)

    Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.

    This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113     through 9.0.115.

    Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
    (CVE-2026-32990)

    Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache     Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from     9.0.40 through 9.0.116.

    Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
    (CVE-2026-34483)

    Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering     component of Apache Tomcat exposed the Kubernetes bearer token.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from     9.0.13 through 9.0.116.

    Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
    (CVE-2026-34487)

    CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM     is used in Apache Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from     9.0.92 through 9.0.116.

    Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
    (CVE-2026-34500)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1604-1 advisory.

    Security fixes:

    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).

    Other fixes:

    - Update to Tomcat 9.0.117

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1603-1 advisory.

    Security fixes:

    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).

    Other fixes:

    - Update to Tomcat 10.1.54

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20612-1 advisory.

    - Update to Tomcat 10.1.54
    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20611-1 advisory.

    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1558-1 advisory.

    Security fixes:

    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).

    Other fixes:

    - Update to Tomcat 11.0.21

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1572-1 advisory.

    Security fixes:

    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).

    Other fixes:

    - Update to Tomcat 9.0.117

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20595-1 advisory.

    - Update to Tomcat 11.0.21
    - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
    - CVE-2026-25854: Occasionally open redirect (bsc#1261851).
    - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
    - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
    - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
    - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
    - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token     (bsc#1261856).
    - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
    - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.54. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.54_security-10 advisory.

  - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering     component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are     recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. (CVE-2026-34487)

  - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM     is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22     through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54     or 9.0.117, which fixes the issue. (CVE-2026-34500)

  - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146     allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53,     9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
    (CVE-2026-34486)

  - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53,     from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 ,     which fix the issue. (CVE-2026-34483)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.117. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.117_security-9 advisory.

  - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering     component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are     recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. (CVE-2026-34487)

  - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM     is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22     through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54     or 9.0.117, which fixes the issue. (CVE-2026-34500)

  - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146     allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53,     9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
    (CVE-2026-34486)

  - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53,     from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 ,     which fix the issue. (CVE-2026-34483)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.21. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.21_security-11 advisory.

  - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering     component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are     recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. (CVE-2026-34487)

  - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM     is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22     through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54     or 9.0.117, which fixes the issue. (CVE-2026-34500)

  - Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146     allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53,     9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
    (CVE-2026-34486)

  - Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53,     from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 ,     which fix the issue. (CVE-2026-34483)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.13 prior to 9.0.117, 10.1.0-M1 prior to 10.1.54 or 11.0.0-M1 prior to 11.0.21. It is, therefore, affected by multiple vulnerabilities :

 - An error in the fix for CVE-2026-29146 allowed the EncryptInterceptor to be bypassed. (CVE-2026-34486)

 - CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. (CVE-2026-34500)

 - The cloud membership for clustering component exposed the Kubernetes bearer token in log messages. (CVE-2026-34487)

 - Incomplete escaping when non-default values were used for the Connector attributes relaxedPathChars and/or relaxedQueryChars allowed the injection of arbitrary JSON into the JSON access log. (CVE-2026-34483)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering     component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are     recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. (CVE-2026-34487)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
311140	Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2026-025 (ALASTOMCAT9-2026-025)	Nessus	Amazon Linux Local Security Checks	high
310238	SUSE SLES15 Security Update : tomcat (SUSE-SU-2026:1604-1)	Nessus	SuSE Local Security Checks	high
310234	SUSE SLES15 Security Update : tomcat10 (SUSE-SU-2026:1603-1)	Nessus	SuSE Local Security Checks	high
310087	openSUSE 16 Security Update : tomcat10 (openSUSE-SU-2026:20612-1)	Nessus	SuSE Local Security Checks	high
310085	openSUSE 16 Security Update : tomcat (openSUSE-SU-2026:20611-1)	Nessus	SuSE Local Security Checks	high
310062	SUSE SLES15 Security Update : tomcat11 (SUSE-SU-2026:1558-1)	Nessus	SuSE Local Security Checks	high
310057	SUSE SLES12 Security Update : tomcat (SUSE-SU-2026:1572-1)	Nessus	SuSE Local Security Checks	high
309888	openSUSE 16 Security Update : tomcat11 (openSUSE-SU-2026:20595-1)	Nessus	SuSE Local Security Checks	high
307013	Apache Tomcat 10.1.22 < 10.1.54 multiple vulnerabilities	Nessus	Web Servers	high
307003	Apache Tomcat 9.0.92 < 9.0.117 multiple vulnerabilities	Nessus	Web Servers	high
307002	Apache Tomcat 11.0.0.M14 < 11.0.21 multiple vulnerabilities	Nessus	Web Servers	high
115217	Apache Tomcat 9.0.13 < 9.0.117 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
115216	Apache Tomcat 10.1.0-M1 < 10.1.54 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
115215	Apache Tomcat 11.0.0-M1 < 11.0.21 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
305901	Linux Distros Unpatched Vulnerability : CVE-2026-34487	Nessus	Misc.	high

Detections

Analytics

CVE-2026-34487

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high