Main Vulnerability Database Vulnerabilities #VU125741

Configuration in Apache Tomcat - CVE-2026-29129

Published: April 9, 2026 / Updated: April 10, 2026

Vulnerability identifier: #VU125741

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29129

CWE-ID: CWE-16

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache Tomcat

Detailed vulnerability description

The vulnerability allows a remote attacker to cause the server to use TLS cipher suites in an unintended order.

The vulnerability exists due to improper configuration handling in TLS 1.3 cipher suite configuration when negotiating TLS connections. A remote attacker can initiate a TLS connection to cause the server to use TLS cipher suites in an unintended order.

How to mitigate CVE-2026-29129

Install security update from vendor's website.

Sources

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
https://lists.apache.org/thread/y4rgpnj4y3m8bg5kzjt8yyhx1qmzyx3r

Configuration in Apache Tomcat - CVE-2026-29129

Detailed vulnerability description

How to mitigate CVE-2026-29129

Sources

Please verify you're human