An update for tomcat is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1970 Final 1.0 1.0 2026-04-17 Initial 2026-04-17 2026-04-17 openEuler SA Tool V1.0 2026-04-17 tomcat security update An update for tomcat is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2 Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Security Fix(es): Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.(CVE-2026-24880) Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-25854) Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-29129) CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.(CVE-2026-29145) Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.(CVE-2026-29146) Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.(CVE-2026-32990) Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.(CVE-2026-34483) Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34486) Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.(CVE-2026-34487) CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.(CVE-2026-34500) An update for tomcat is now available for openEuler-24.03-LTS-SP3,openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1,openEuler-24.03-LTS-SP2. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical tomcat https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-24880 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-25854 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-29129 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-29145 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-29146 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-32990 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34483 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34486 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34487 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-34500 https://nvd.nist.gov/vuln/detail/CVE-2026-24880 https://nvd.nist.gov/vuln/detail/CVE-2026-25854 https://nvd.nist.gov/vuln/detail/CVE-2026-29129 https://nvd.nist.gov/vuln/detail/CVE-2026-29145 https://nvd.nist.gov/vuln/detail/CVE-2026-29146 https://nvd.nist.gov/vuln/detail/CVE-2026-32990 https://nvd.nist.gov/vuln/detail/CVE-2026-34483 https://nvd.nist.gov/vuln/detail/CVE-2026-34486 https://nvd.nist.gov/vuln/detail/CVE-2026-34487 https://nvd.nist.gov/vuln/detail/CVE-2026-34500 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 tomcat-9.0.117-1.oe2403sp3.noarch.rpm tomcat-help-9.0.117-1.oe2403sp3.noarch.rpm tomcat-jsvc-9.0.117-1.oe2403sp3.noarch.rpm tomcat-9.0.117-1.oe2003sp4.noarch.rpm tomcat-help-9.0.117-1.oe2003sp4.noarch.rpm tomcat-jsvc-9.0.117-1.oe2003sp4.noarch.rpm tomcat-9.0.117-1.oe2203sp4.noarch.rpm tomcat-help-9.0.117-1.oe2203sp4.noarch.rpm tomcat-jsvc-9.0.117-1.oe2203sp4.noarch.rpm tomcat-9.0.117-1.oe2403.noarch.rpm tomcat-help-9.0.117-1.oe2403.noarch.rpm tomcat-jsvc-9.0.117-1.oe2403.noarch.rpm tomcat-9.0.117-1.oe2403sp1.noarch.rpm tomcat-help-9.0.117-1.oe2403sp1.noarch.rpm tomcat-jsvc-9.0.117-1.oe2403sp1.noarch.rpm tomcat-9.0.117-1.oe2403sp2.noarch.rpm tomcat-help-9.0.117-1.oe2403sp2.noarch.rpm tomcat-jsvc-9.0.117-1.oe2403sp2.noarch.rpm tomcat-9.0.117-1.oe2403sp3.src.rpm tomcat-9.0.117-1.oe2003sp4.src.rpm tomcat-9.0.117-1.oe2203sp4.src.rpm tomcat-9.0.117-1.oe2403.src.rpm tomcat-9.0.117-1.oe2403sp1.src.rpm tomcat-9.0.117-1.oe2403sp2.src.rpm Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue. 2026-04-17 CVE-2026-24880 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-17 CVE-2026-25854 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-17 CVE-2026-29129 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. 2026-04-17 CVE-2026-29145 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 Critical 9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. 2026-04-17 CVE-2026-29146 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. 2026-04-17 CVE-2026-32990 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. 2026-04-17 CVE-2026-34483 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-17 CVE-2026-34486 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. 2026-04-17 CVE-2026-34487 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970 CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue. 2026-04-17 CVE-2026-34500 openEuler-24.03-LTS-SP3 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 openEuler-24.03-LTS-SP2 Medium 6.5 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N tomcat security update 2026-04-17 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1970