CVE-2026-29129 PUBLISHED

Apache Tomcat: TLS cipher order is not preserved

Assigner: apache
Reserved: 04.03.2026 Published: 09.04.2026 Updated: 09.04.2026

Configured cipher preference order not preserved vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.

Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Tomcat
Versions Default: unaffected
  • affected from 11.0.16 to 11.0.18 (incl.)
  • affected from 10.1.51 to 10.1.52 (incl.)
  • affected from 9.0.114 to 9.0.115 (incl.)

References

Problem Types

  • Configured cipher preference order not preserved