CVE-2026-34487 Overview
CVE-2026-34487 is an Insertion of Sensitive Information into Log File vulnerability (CWE-532) in the cloud membership for clustering component of Apache Tomcat. This vulnerability exposes Kubernetes bearer tokens through improper logging practices, potentially allowing attackers with access to log files to obtain sensitive authentication credentials used for Kubernetes cluster communication.
Critical Impact
Exposure of Kubernetes bearer tokens in log files could allow unauthorized access to Kubernetes clusters, enabling attackers to compromise containerized workloads, access secrets, and potentially pivot to other resources within the cluster.
Affected Products
- Apache Tomcat versions 11.0.0-M1 through 11.0.20
- Apache Tomcat versions 10.1.0-M1 through 10.1.53
- Apache Tomcat versions 9.0.13 through 9.0.116
Discovery Timeline
- 2026-04-09 - CVE-2026-34487 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34487
Vulnerability Analysis
This vulnerability represents a significant information disclosure issue within Apache Tomcat's cloud membership clustering functionality. When Tomcat is deployed in a Kubernetes environment and utilizes the cloud membership provider for clustering, the system inadvertently logs the Kubernetes bearer token to application log files. This token serves as the authentication credential for Tomcat instances to communicate with the Kubernetes API server for service discovery and cluster coordination.
The sensitive token exposure occurs during normal cluster membership operations, meaning any deployment using this feature would be affected. The logged bearer tokens could be accessed by anyone with read permissions to the log files, including system administrators, log aggregation systems, and potentially malicious actors who gain access to the filesystem or log management infrastructure.
Root Cause
The root cause of CVE-2026-34487 is improper handling of sensitive authentication data within the logging subsystem of Apache Tomcat's cloud membership clustering component. The Kubernetes bearer token, which should be treated as a secret credential and never written to logs, is being included in log output without proper sanitization or redaction. This violates secure coding practices for handling authentication tokens and sensitive configuration data.
Attack Vector
An attacker could exploit this vulnerability through several scenarios:
- Direct log file access: An attacker with filesystem access to the Tomcat server could read log files containing the exposed bearer tokens
- Log aggregation compromise: If logs are forwarded to centralized logging systems (e.g., Elasticsearch, Splunk), compromise of these systems would expose the tokens
- Backup exploitation: Log files included in system backups could be extracted to obtain the tokens
- Insider threat: Malicious insiders with legitimate log access could harvest tokens for unauthorized Kubernetes API access
Once an attacker obtains the Kubernetes bearer token, they could authenticate to the Kubernetes API server and perform actions based on the token's associated permissions, potentially including reading secrets, deploying malicious workloads, or escalating privileges within the cluster.
Detection Methods for CVE-2026-34487
Indicators of Compromise
- Presence of Kubernetes bearer tokens in Apache Tomcat log files (typically catalina.out or configured logging destinations)
- Unusual API calls to the Kubernetes API server from unexpected sources using legitimate service account tokens
- Log entries containing Authorization: Bearer headers or raw JWT tokens associated with Kubernetes service accounts
- Unexpected access patterns to Kubernetes resources that correlate with Tomcat service account permissions
Detection Strategies
- Implement log scanning rules to detect patterns matching Kubernetes bearer tokens (typically JWT format beginning with eyJ)
- Monitor Kubernetes audit logs for API calls using Tomcat service account tokens from unexpected IP addresses
- Deploy file integrity monitoring on Tomcat log directories to track access patterns
- Configure SentinelOne to alert on processes reading log files containing sensitive credential patterns
Monitoring Recommendations
- Enable verbose Kubernetes API audit logging to track all authentication events using affected service accounts
- Implement centralized log monitoring with alerts for sensitive data exposure patterns
- Establish baseline Kubernetes API access patterns for Tomcat instances to detect anomalous behavior
- Configure network monitoring to detect Kubernetes API communications from unauthorized hosts
How to Mitigate CVE-2026-34487
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 depending on your deployment version
- Rotate any Kubernetes bearer tokens that may have been exposed in log files prior to patching
- Review and purge historical log files that may contain exposed tokens
- Restrict file permissions on Tomcat log directories to minimize access
Patch Information
Apache has released patched versions that fix this vulnerability. Users should upgrade to the following versions:
| Affected Branch | Fixed Version |
|---|---|
| 11.x | 11.0.21 |
| 10.1.x | 10.1.54 |
| 9.x | 9.0.117 |
For additional details, refer to the Apache Mailing List Thread regarding this security issue.
Workarounds
- If immediate patching is not possible, consider temporarily disabling the cloud membership clustering feature until the upgrade can be performed
- Implement strict log file access controls to limit who can read Tomcat logs
- Configure log rotation with short retention periods to minimize the window of token exposure
- Use a Kubernetes service account with minimal required permissions to limit the impact of potential token compromise
- Consider deploying a log filtering proxy to redact sensitive patterns before logs are written to disk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
