{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34487", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-30T08:10:48.531Z", "datePublished": "2026-04-09T19:36:12.048Z", "dateUpdated": "2026-04-10T17:49:44.314Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.20", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.53", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.116", "status": "affected", "version": "9.0.13", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.</p>"}], "value": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:12.048Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/28"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:54.609Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T17:47:28.920468Z", "id": "CVE-2026-34487", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:49:44.314Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/28"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:54.609Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34487", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T17:47:28.920468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:47:43.672Z"}}], "cna": {"title": "Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartlomiej Dmitruk, striga.ai"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.20"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.53"}, {"status": "affected", "version": "9.0.13", "versionType": "semver", "lessThanOrEqual": "9.0.116"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:12.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34487", "state": "PUBLISHED", "dateUpdated": "2026-04-10T17:49:44.314Z", "dateReserved": "2026-03-30T08:10:48.531Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:36:12.048Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue."}], "id": "CVE-2026-34487", "lastModified": "2026-04-10T18:16:43.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:25.203", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/28"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Information disclosure via sensitive data in log files", "id": "2457038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457038"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-538", "details": ["A flaw was found in Apache Tomcat. The cloud membership for clustering component was vulnerable to the insertion of sensitive information into log files. This vulnerability could lead to the exposure of the Kubernetes bearer token, which is a credential used for authentication within a Kubernetes cluster, potentially allowing unauthorized access to cluster resources."], "mitigation": {"lang": "en:us", "value": "Disable the cloud membership for clustering feature in Apache Tomcat if it is not actively used. Additionally, ensure that access to Apache Tomcat log files is strictly controlled and limited to authorized personnel only to prevent unauthorized disclosure of sensitive information. If the cloud membership for clustering feature is disabled, a restart of the Apache Tomcat service may be required for the changes to take effect."}, "name": "CVE-2026-34487", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:36:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34487\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34487\nhttps://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h"], "statement": "Low impact. This vulnerability in Apache Tomcat affects the cloud membership for clustering component, potentially exposing Kubernetes bearer tokens in log files. Exploitation requires the cloud membership feature to be enabled and an attacker to have access to the system's log files. Red Hat Enterprise Linux versions are affected if running Apache Tomcat with this specific clustering configuration.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M1,11.0.20]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.0-M1,10.1.53]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.13,9.0.116]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T21:22:58.067519+00:00", "value": {"mitigation_remediation": ["Upgrade to Apache Tomcat 11.0.21, 10.1.54, or 9.0.117, which eliminate the logging of sensitive tokens.", "Inspect existing log files for unintended token exposure and rotate or delete compromised tokens if found.", "Limit file system and network access to Tomcat log directories to prevent unauthorized reading of log content."], "summary": {"action": "Immediate Patch", "impact": "Escalated risk of exposure of Kubernetes bearer tokens through log files"}, "threat_synthesis": {"affected_systems": "Apache Tomcat 11.0.0\u2011M1 through 11.0.20, Apache Tomcat 10.1.0\u2011M1 through 10.1.53, and Apache Tomcat 9.0.13 through 9.0.116 are affected. Any deployment of these versions within a Kubernetes environment is at risk until upgraded.", "description_and_impact": "Received information indicating that the cloud membership module of Apache Tomcat logs the Kubernetes bearer token directly into plain text log files. The vulnerability can lead to disclosure of a credential that grants privileged access to the cluster, potentially enabling further lateral movement or unauthorized resource manipulation. The weakness identified aligns with CWE\u2011532, the insertion of sensitive information into logs.", "risk_and_exploitability": "The exploit requires the attacker to have legitimate access to the Tomcat log directory or the ability to read logs sent to a remote syslog server. While the public CVSS score is not provided, the presence of a bearer token in logs represents high confidentiality loss, and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation yet; however, the severity of potential credential compromise warrants immediate attention."}}}}, "created": "2026-04-10T08:38:47.798371+00:00", "updated": "2026-04-10T09:29:30.961782+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}