Main Vulnerability Database Vulnerabilities #VU125741

#VU125741 Configuration in Apache Tomcat - CVE-2026-29129

Published: April 9, 2026 / Updated: April 10, 2026

Vulnerability identifier: #VU125741

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29129

CWE-ID: CWE-16

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache Tomcat

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to cause the server to use TLS cipher suites in an unintended order.

The vulnerability exists due to improper configuration handling in TLS 1.3 cipher suite configuration when negotiating TLS connections. A remote attacker can initiate a TLS connection to cause the server to use TLS cipher suites in an unintended order.

Remediation

Install security update from vendor's website.

External links

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
https://lists.apache.org/thread/y4rgpnj4y3m8bg5kzjt8yyhx1qmzyx3r

#VU125741 Configuration in Apache Tomcat - CVE-2026-29129

Description

Remediation

External links

Please verify you're human