CVE-2026-34487

Summary

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat11.0.0-M1 <= 11.0.20affected
Apache Software FoundationApache Tomcat10.1.0-M1 <= 10.1.53affected
Apache Software FoundationApache Tomcat9.0.13 <= 9.0.116affected

Weaknesses

  • CWE-532: CWE-532 Insertion of Sensitive Information into Log File

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References