CVE-2026-34487

NameCVE-2026-34487
DescriptionInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133356, 1133357

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm10.1.34-0+deb12u2vulnerable
bookworm (security)10.1.52-1~deb12u1vulnerable
trixie (security), trixie10.1.52-1~deb13u1vulnerable
forky, sid10.1.54-1fixed
tomcat11 (PTS)trixie (security), trixie11.0.15-1~deb13u1vulnerable
forky, sid11.0.21-1fixed
tomcat9 (PTS)bullseye9.0.43-2~deb11u10vulnerable
bullseye (security)9.0.107-0+deb11u2fixed
bookworm9.0.70-2fixed
trixie9.0.95-1fixed
forky, sid9.0.115-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)10.1.54-11133356
tomcat11source(unstable)11.0.21-11133357
tomcat9source(unstable)9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
Fixed by: https://github.com/apache/tomcat/commit/301bc6efbf72feb14dacfdfa3f50372182736150 (11.0.21)
Fixed by: https://github.com/apache/tomcat/commit/5eff2a773b8b728083e5195b3183df1b9e12a03d (10.1.54)
Fixed by: https://github.com/apache/tomcat/commit/f593292a082e5ef9336a8db2b4b522f7f3e36976 (9.0.117)
https://www.openwall.com/lists/oss-security/2026/04/09/28
Search for package or bug name: Reporting problems