Executive Summary
A critical vulnerability tracked as CVE-2026-59084 has been disclosed in Apache Tomcat, affecting its cluster EncryptInterceptor component. The flaw stems from insufficient technical documentation — the requirements to securely configure the EncryptInterceptor were not clearly documented, meaning operators may have deployed cluster encryption in an insecure state without any warning.
CVSS Score: 9.1 (Critical)
The vulnerability affects Apache Tomcat 9.0.x, 10.1.x, and 11.0.x branches. Patches are now available across all affected versions.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-59084 |
| CVSS Score | 9.1 (Critical) |
| Type | Insufficient Technical Documentation / Insecure Default Configuration |
| Component | EncryptInterceptor (Cluster Communication) |
| Attack Vector | Network |
| Privileges Required | None (for misconfigured clusters) |
| User Interaction | None |
| Disclosure | Apache Software Foundation Security Team |
What Is EncryptInterceptor?
Apache Tomcat supports clustering — multiple Tomcat nodes sharing session state and replicating data across the cluster. The EncryptInterceptor is a cluster valve designed to encrypt inter-node traffic within this cluster, protecting sensitive session data from interception on internal networks.
When properly configured, EncryptInterceptor provides cryptographic protection for cluster replication messages. However, CVE-2026-59084 reveals that the required configuration steps to achieve meaningful security were never adequately documented, leaving administrators to deploy the feature in configurations that may provide a false sense of security.
Affected Versions
| Branch | Affected Versions | Fixed Version |
|---|---|---|
| Apache Tomcat 8.5.x | Selected versions | See Apache advisory |
| Apache Tomcat 9.0.x | 9.0.13 through 9.0.119 | 9.0.120+ |
| Apache Tomcat 10.1.x | 10.1.0-M1 through 10.1.56 | 10.1.57+ |
| Apache Tomcat 11.0.x | 11.0.0-M1 through 11.0.23 | 11.0.24+ |
Risk Assessment
The risk from this vulnerability manifests in deployments where:
- Cluster replication is enabled using Tomcat's built-in clustering
- EncryptInterceptor is present in the cluster valve pipeline
- Configuration is incomplete due to lack of clear documentation
In such scenarios, cluster communication may be transmitted in a partially or fully unencrypted state, or with weak cryptographic settings. An attacker with access to the cluster network — including internal attackers, compromised internal hosts, or anyone on the same network segment — could potentially:
- Intercept and read session replication traffic
- Tamper with session data being replicated between nodes
- Inject malicious session data into the replication stream
- Hijack user sessions across all nodes in the cluster
The CVSS 9.1 score reflects the potential for complete session compromise at scale across clustered deployments.
Attack Scenario
1. Operator deploys Tomcat cluster with EncryptInterceptor enabled
2. Documentation gap: required keys/parameters not configured correctly
3. Cluster replication traffic transmitted with inadequate encryption
4. Attacker on internal network (VLAN, compromised host, insider) captures traffic
5. Session tokens and sensitive data extracted from replication packets
6. Attacker replays or modifies sessions across all cluster nodes
7. Full session hijacking / privilege escalation achievedImmediate Remediation
Step 1: Update Apache Tomcat
Update to the patched release for your branch:
# Check current version
catalina.sh version
# For RHEL/CentOS-based systems
yum update tomcat
# For Ubuntu/Debian-based systems
apt-get update && apt-get upgrade tomcat9
# Or download directly from Apache
# https://tomcat.apache.org/download-90.cgi (9.0.x)
# https://tomcat.apache.org/download-10.cgi (10.1.x)
# https://tomcat.apache.org/download-11.cgi (11.0.x)Step 2: Review EncryptInterceptor Configuration
If you use Tomcat clustering, audit your server.xml configuration:
<!-- Locate your Cluster configuration -->
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster">
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Interceptor
className="org.apache.catalina.tribes.group.interceptors.EncryptInterceptor"
encryptionAlgorithm="AES/GCM/NoPadding"
encryptionKeyLength="256"
encryptionKeyFile="/path/to/cluster.key"
/>
<!-- Additional interceptors -->
</Channel>
</Cluster>Key parameters that must be explicitly set:
encryptionAlgorithm— useAES/GCM/NoPadding(authenticated encryption)encryptionKeyLength— set to256(minimum)encryptionKeyFile— must point to a securely generated key file
Step 3: Generate a Secure Encryption Key
# Generate a 256-bit AES key for cluster encryption
openssl rand -out /etc/tomcat/cluster.key 32
chmod 600 /etc/tomcat/cluster.key
chown tomcat:tomcat /etc/tomcat/cluster.keyStep 4: Network Isolation
Even with encryption, restrict cluster replication traffic:
# Allow only cluster members to communicate on replication port
iptables -A INPUT -p tcp --dport 4000 -s <cluster-member-1-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -s <cluster-member-2-ip> -j ACCEPT
iptables -A INPUT -p tcp --dport 4000 -j DROP
# Repeat for multicast (if used)
iptables -A INPUT -p udp --dport 45564 -s <cluster-subnet> -j ACCEPT
iptables -A INPUT -p udp --dport 45564 -j DROPDetection
Monitor for indicators of cluster traffic exposure:
| Indicator | Description |
|---|---|
| Unencrypted port 4000 traffic | Default Tomcat cluster replication port sending cleartext |
| Unexpected cluster member joins | Unknown host attempting to join cluster replication group |
| Session state anomalies | Session data mismatches between nodes without legitimate cause |
| High cluster replication traffic | Potential exfiltration or injection into replication stream |
# Check if cluster replication port is accessible externally
nmap -p 4000 <external-ip>
# Monitor for suspicious cluster join events in Tomcat logs
grep -i "Member\|Cluster\|Tribe" /var/log/tomcat*/catalina.out | grep -i "added\|joined"Post-Remediation Steps
- Confirm version upgrade — verify
catalina.sh versionshows the patched release - Validate EncryptInterceptor config — test cluster communication with packet capture to confirm encryption
- Rotate cluster encryption keys — generate new keys after patch
- Review cluster member list — ensure only authorized nodes are cluster members
- Restrict network access — firewall cluster replication ports to cluster members only
- Enable access logging — log all cluster management operations
- Review session security — ensure
HttpOnlyandSecureflags are set on session cookies