Apache Tomcat April Vulnerabilities Security Update Advisory

Overview.

A security update has been released to address multiple security vulnerabilities in Apache Tomcat.
affected versions are Tomcat 9.0.0.M1-9.0.116, 10.0.0-M1-10.1.53, 11.0.0-M1-11.0.20.
recommended patch versions include 9.0.117, 9.0.116, 11.0.21, 11.0.20, 10.1.54, and 10.1.53.

Summary of vulnerabilities.

CVE-2026-24880 is an HTTP request smuggling vulnerability that can affect request isolation and proxy interaction.
CVE-2026-29145 and CVE-2026-34500 are OCSP checks that may intermittently be treated as soft-fail even with soft-fail disabled, which could affect certificate health verification reliability.
CVE-2026-34487 is an issue where the Kubernetes bearer token can be exposed in the Cloud membership component for clustering.
CVE-2026-25854 could cause an intermittent open redirect due to a crafted URL.
CVE-2026-34483 is a vulnerability related to incomplete escape handling in JSON access logs.
CVE-2026-29129 is an issue where the set TLS cipher suite priority is not preserved.
CVE-2026-29146 is a vulnerability to a padding oracle attack in the default settings of EncryptInterceptor.
CVE-2026-34486 and CVE-2026-32990 are additional vulnerabilities due to incompleteness in a previous fix.

Impact and advisory.

the vulnerabilities have the potential to lead to security incidents, including certificate validation bypass, token exposure, request path manipulation, log forgery, and cryptographic information leakage.
affected systems should be updated to the latest recommended Tomcat release.
additional information and the original security advisory can be found on the Apache Tomcat Security page and in the respective CVE reference document.