CVE-2026-34487 PUBLISHED

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Assigner: apache
Reserved: 30.03.2026 Published: 09.04.2026 Updated: 09.04.2026

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Tomcat
Versions	Default: unaffected affected from 11.0.0-M1 to 11.0.20 (incl.) affected from 10.1.0-M1 to 10.1.53 (incl.) affected from 9.0.13 to 9.0.116 (incl.)

Credits

Bartlomiej Dmitruk, striga.ai finder

References

https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h

Problem Types

CWE-532 Insertion of Sensitive Information into Log File CWE