Cipher Preference Order Vulnerability in Apache Tomcat by Apache
CVE-2026-29129

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-29129?

This vulnerability in Apache Tomcat arises from the improper handling of the cipher preference order, potentially allowing attackers to exploit the issue and force the server to use weaker ciphers. Affected versions include 11.0.16 to 11.0.18, 10.1.51 to 10.1.52, and 9.0.114 to 9.0.115. Users are strongly advised to upgrade to the patched versions 11.0.20, 10.1.53, or 9.0.116 to mitigate any possible risks.

Affected Version(s)

Apache Tomcat 11.0.16 <= 11.0.18

Apache Tomcat 10.1.51 <= 10.1.52

Apache Tomcat 9.0.114 <= 9.0.115

References

https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprol...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29129 Data

JSON