Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File

GHSA-x4m4-345f-5h5g · BIT-tomcat-2026-34487 · CVE-2026-34487

Published Apr 9, 2026 · Modified Apr 13, 2026

Description

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Packages

Maven/org.apache.tomcat.embed:tomcat-embed-core

Fix 10.1.54, 11.0.21, 9.0.117

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.13

187 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +167 more

Maven/org.apache.tomcat:tomcat

Fix 10.1.54, 11.0.21, 9.0.117

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.13

187 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +167 more

Maven/org.apache.tomcat:tomcat-catalina

Fix 10.1.54, 11.0.21, 9.0.117

Introduced 10.1.0-M1, 11.0.0-M1, 9.0.13

187 affected versions

10.1.010.1.0-M110.1.0-M1010.1.0-M1110.1.0-M1210.1.0-M1410.1.0-M1510.1.0-M1610.1.0-M1710.1.0-M210.1.0-M410.1.0-M510.1.0-M610.1.0-M710.1.0-M810.1.110.1.1010.1.1110.1.1210.1.13 +167 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes