oss-sec mailing list archives

CVE-2026-29129: Apache Tomcat: TLS cipher order is not preserved


From: Mark Thomas <markt () apache org>
Date: Thu, 9 Apr 2026 20:48:03 +0100

Severity: low

Affected versions:

- Apache Tomcat 11.0.16 through 11.0.18
- Apache Tomcat 10.1.51 through 10.1.52
- Apache Tomcat 9.0.114 through 9.0.115

Description:

Configured cipher preference order not preserved vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

References:

https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-29129


Current thread: