Sensitive Information Exposure in Apache Tomcat Clustering Component
CVE-2026-34487

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34487?

The clustering component of Apache Tomcat contains a vulnerability that results in the exposure of the Kubernetes bearer token in log files. This issue impacts various versions of the software, allowing sensitive information to be inadvertently captured and logged. Users are urged to update to the latest versions to prevent potential exploitation and ensure secure handling of Kubernetes tokens.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.20

Apache Tomcat 10.1.0-M1 <= 10.1.53

Apache Tomcat 9.0.13 <= 9.0.116

References

https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlq...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Bartlomiej Dmitruk, striga.ai

CVE-2026-34487 Data

JSON