CVE- 2026-34486 is a regression in Apache Tomcat Tribes that can convert an exposed cluster receiver into an unauthenticated remote code execution opportunity, according to SOCRadar Vulnerability Intelligence. The issue stems from a decryption failure that no longer halts processing, allowing attacker-supplied bytes to reach Java deserialization code paths when Tribes clustering is enabled and EncryptInterceptor is in use.
Affected Tomcat versions are narrowly defined: 11.0.20 is fixed in 11.0.21 (fixed release dated 4 April 2026), 10.1.53 is fixed in 10.1.54 (dated 2 April 2026), and 9.0.116 is fixed in 9.0.117 (dated 3 April 2026); Tomcat 8.5.x is not affected. Exploitation requires the receiver to be reachable over the network, typically on TCP port 4000, and deserialization gadgets on the classpath can facilitate pre-auth RCE if present.
Defenders are urged to patch to the fixed releases or isolate the Tribes receiver, and to monitor for decrypt-failure logs such as “Failed to decrypt message” that may accompany anomalous inbound connections.