Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2026-34486: Apache Tomcat Tribes Regression Creates Unauthenticated RCE Path
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
FortiSandbox Vulnerabilities Expose Systems to Auth Bypass and Command Execution
Jun 17, 2026
SOCRadar® Cyber Intelligence Inc. | May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
May 2026: TeamPCP's Supply Chain Blitz Hits Checkmarx, GitHub, and npm
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | FortiBleed: The Compromise of 30,000 Fortinet Firewalls
FortiBleed: The Compromise of 30,000 Fortinet Firewalls
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
CVE-2026-20262: Cisco Catalyst SD-WAN Manager Zero-Day Leads to Root
Jun 16, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
CVE-2026-35273 in Oracle PeopleSoft PeopleTools EMHub Under Active Exploitation
Jun 12, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Apr 14, 2026
5 Mins Read
Moon

CVE-2026-34486: Apache Tomcat Tribes Regression Creates Unauthenticated RCE Path

Apache Tomcat users running Tribes clustering should pay attention to CVE-2026-34486, an important-severity regression that can turn an exposed cluster receiver into an unauthenticated remote code execution (RCE) opportunity.

The flaw was introduced by a prior security fix for CVE-2026-29146, where a small control-flow change caused decryption failures to fail open instead of fail closed. If an attacker can reach the Tribes receiver port (default TCP/4000) and the target has usable Java deserialization gadgets on the classpath, exploitation can move from “garbage traffic” to code execution.

This post explains what CVE-2026-34486 is, who is affected, how the attack chain works at a high level, whether exploitation is confirmed, and what defenders should do now.

What Is CVE-2026-34486 in Apache Tomcat Tribes?

CVE-2026-34486 is a vulnerability in Apache Tomcat Tribes, the built-in clustering and session replication component. The issue sits in the EncryptInterceptor receiver-side logic, which is meant to decrypt cluster messages before they get processed.

Details of CVE-2026-34486 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-34486 (SOCRadar Vulnerability Intelligence)

Due to a regression introduced during the fix for CVE-2026-29146 (a padding-oracle issue), Tomcat can end up forwarding attacker-supplied bytes even when decryption fails. Those bytes can reach Tomcat’s Java deserialization code path, which uses ObjectInputStream.readObject() without an ObjectInputFilter in the described flow.

In practical terms, this turns “unauthenticated network reachability to the Tribes receiver” into a potential pre-auth deserialization sink in deployments where Tribes clustering is enabled, and EncryptInterceptor is in use.

Which Tomcat Versions Are Affected and What Are the Fixed Releases?

Affected versions are narrow and map to specific releases that included the earlier refactor:

  • Tomcat 11.0.20 is affected; fixed in 11.0.21 (fixed release dated 2026-04-04).
  • Tomcat 10.1.53 is affected; fixed in 10.1.54 (fixed release dated 2026-04-02).
  • Tomcat 9.0.116 is affected; fixed in 9.0.117 (fixed release dated 2026-04-03).

A notable exception: Tomcat 8.5.x is reported as not affected because the EncryptInterceptor component does not exist in that branch.

Why Does This Regression Create a “Fail-Open” Deserialization Risk?

The core of the bug is simple and operationally dangerous: a one-line control-flow shift changed the receiver behavior from “drop message on crypto error” to “keep processing even if crypto fails.”

What changed?

In EncryptInterceptor.messageReceived(), a call to super.messageReceived(msg) was moved outside of a try/catch. That means when decryption throws a GeneralSecurityException (for example, BadPaddingException or AEADBadTagException), the interceptor still forwards the message up the processing chain.

Where does it go next?

Forwarded bytes reach GroupChannel.messageReceived() and eventually XByteBuffer.deserialize(), which performs Java deserialization using a plain ObjectInputStream.readObject() in the described path.

Without an object filter, untrusted serialized objects can be loaded and instantiated.

This is why CVE-2026-34486 matters even in environments that enable encryption to protect cluster traffic. The encryption layer becomes a bypassable gate instead of a hard stop.

How Could an Unauthenticated Attacker Exploit CVE-2026-34486?

Exploitation depends heavily on exposure and classpath reality, but the chain is simple:

Preconditions defenders should validate

  • Tribes clustering is enabled, and EncryptInterceptor is in use.
  • The Tribes receiver is reachable over the network, typically on TCP port 4000 by default.
  • The application environment includes deserialization gadget classes on the classpath (researchers tested with commons-collections-3.1.jar as an example). Deserialization may still occur without gadgets, but reliable RCE typically requires them.

High-level attack flow

  1. An attacker sends a crafted Tribes message to the receiver port (the protocol envelope is not authenticated at the framing layer).
  2. The target node attempts to decrypt the payload via EncryptInterceptor.
  3. Decryption fails, but due to the regression, the message is still forwarded.
  4. The attacker-controlled bytes hit the deserialization routine.
  5. If a usable gadget chain exists, this can lead to unauthenticated RCE.

One operational detail worth noting for defenders: logs may show a decrypt failure message like “Failed to decrypt message”, while the payload may still get processed beyond that point.

Is There Confirmed Active Exploitation of CVE-2026-34486?

At the time of the referenced disclosures, active exploitation is unconfirmed. There is no credible confirmation cited such as a government exploitation catalog entry, a vendor statement confirming in-the-wild attacks, or major incident reporting tied directly to CVE-2026-34486.

That said, the combination of unauthenticated network reachability plus a deserialization sink is a familiar exploitation pattern. If TCP/4000 is reachable beyond trusted cluster members, defenders should treat this as a high-priority exposure issue even without public exploitation confirmation.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

To better understand which external risks matter most and where your organization may be exposed, security teams need both threat context and asset visibility.

SOCRadar Cyber Threat Intelligence helps security teams track emerging threats, attacker activity, exploit discussions, and broader trends that may affect their environment. Combined with Attack Surface Management, which identifies internet-facing assets, exposed services, and external weaknesses, it helps teams prioritize action with clearer, more relevant context.

What Should Defenders Do Now to Reduce Risk?

Patch first (recommended)

Upgrade to a fixed Tomcat release in your branch:

  • 11.0.21 (from 11.0.20)
  • 10.1.54 (from 10.1.53)
  • 9.0.117 (from 9.0.116)

The functional fix restores fail-closed behavior by ensuring super.messageReceived(msg) only happens when decryption succeeds.

Contain the receiver port exposure

If you cannot patch immediately, prioritize network controls around the Tribes receiver:

  • Restrict TCP/4000 to only trusted cluster members (security groups, firewalls, VLAN controls).
  • In Kubernetes or container environments, enforce pod-to-pod restrictions with NetworkPolicy and verify there is no broad lateral reachability to peer receivers.

Add targeted detection and triage

  • Hunt for receiver-side log events indicating decrypt failures (“Failed to decrypt message”), especially if they correlate with unusual inbound connections to TCP/4000.
  • Inventory where Tribes is enabled and confirm whether the receiver port is unintentionally exposed across environments (prod, staging, DR).

For most organizations, the decision point is simple: if you run Tomcat Tribes with EncryptInterceptor and the receiver is reachable beyond a tightly controlled segment, treat CVE-2026-34486 as urgent and patch or isolate quickly.