CVE-2026-29146

DOCUMENTATION: A flaw was found in Apache Tomcat. This Padding Oracle vulnerability, present in the EncryptInterceptor with its default configuration, could allow a remote attacker to decrypt sensitive information. By exploiting weaknesses in the encryption padding, an attacker may be able to gain unauthorized access to data that should remain confidential. 

            STATEMENT: Important: A padding oracle vulnerability exists in Apache Tomcat's EncryptInterceptor when using its default configuration. This flaw could allow a remote attacker to decrypt sensitive information by exploiting weaknesses in the encryption padding. This vulnerability is not exploitable in any supported Red Hat Products. This is due to the fact EncryptInterceptor is a Tomcat component used to encrypt communication between different nodes in a cluster, however Tomcat's clustering is not tested and supported by Red Hat since Red Hat Enterprise Linux 7. More details about Tomcat's clustering in Red Hat supported products can be found at the following Solution page:

https://access.redhat.com/solutions/67862

            MITIGATION: This vulnerability can be mitigated by removing the affected jar file from the tomcat installation. It can be achieved by running the following command as root:

systemctl stop tomcat
rm -fv /usr/share/java/tomcat/catalina-tribes.jar
systemctl start tomcat

It's important to notice if the Tomcat instance is configured to run with clustering, this may lead to errors when restarting the tomcat service. Red Hat's distributed Apache Tomcat should not be run with Clustering enabled, so make sure to disable such configuration before proceed with the mitigation if that's the case.