TL;DR: Apache Tomcat CVE-2026-29146 lets an attacker with network access forge cluster messages, plant fake identities, and bypass authentication to reach full server control, according to Oligo Security. The flaw shows how trusted-network assumptions and unauthenticated replication can collapse access controls even when encryption is enabled.
At a glance
What this is: This research shows how a Tomcat cluster communication flaw can be used to forge authentication state and take over affected servers.
Why it matters: It matters because identity controls can fail at the replication layer, so IAM, PAM, and NHI governance teams must treat clustered application internals as part of the access boundary.
By the numbers:
- 70% of Java developers use Tomcat as their application server, making it a high-value target.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read Oligo Security's analysis of the Tomcat cluster auth bypass and CVE-2026-29146
Context
Tomcat cluster authentication bypass is a server-side identity problem, not just a vulnerability disclosure. When a clustered application assumes its peer nodes are trustworthy, access control can be rewritten at the replication layer before the login flow ever runs.
For IAM and security teams, the lesson is broader than Tomcat itself. Any platform that shares session state, accepts internal messages, or treats encrypted traffic as implicitly trusted can turn network reachability into identity compromise, especially when the application stack itself becomes the enforcement point.
Key questions
Q: What breaks when a clustered application trusts peer nodes without authenticating them?
A: When a clustered application trusts peer nodes without authenticating them, an attacker who reaches the internal port can influence session state, principals, or roles as though they were a legitimate node. That turns replication into an identity injection path, which can bypass login logic and downstream authorization. In Tomcat, that is enough to override application access controls.
Q: Why do encrypted internal channels still fail in access control breaches?
A: Encrypted internal channels still fail when they protect confidentiality but not integrity or peer identity. If the protocol accepts attacker-controlled messages, or if error handling leaks timing differences, the attacker may forge valid state without the key. Access control then fails because the application trusts the channel rather than validating the actor and the message.
Q: How should teams assess clustered applications that share authentication state?
A: Teams should assess whether shared authentication state can be created, modified, or replayed from an internal network position alone. If the answer is yes, the cluster design is part of the identity boundary and must be reviewed like any privileged access path. That includes port exposure, message authentication, and session provenance checks.
Q: Who is accountable when forged session data bypasses application access controls?
A: Accountability sits with the team that owns the application trust model, not only the network team. If cluster replication can create trusted identities, then application owners, IAM leads, and platform engineers all share responsibility for proving that identity state cannot be injected or silently overwritten. NIST Cybersecurity Framework 2.0 is a useful lens for that review.
Technical breakdown
How unauthenticated Tomcat cluster messaging becomes an access boundary
Tomcat clustering replicates session and authentication state between nodes so users stay logged in as traffic shifts. In CVE-2026-29146, the cluster protocol does not authenticate peers by default, so a host that can reach the cluster port can present itself like a trusted node. That design means replication traffic is not just transport, it is part of the trust model. Once an attacker can influence cluster messages, they can target the cached identity state that Tomcat later uses to decide whether a request is authenticated.
Practical implication: restrict cluster traffic to trusted infrastructure and treat replication ports as identity-sensitive attack surfaces.
Why the EncryptInterceptor padding oracle defeats encrypted cluster traffic
EncryptInterceptor uses AES-CBC without authenticated encryption, which leaves it exposed to a padding oracle. The flaw is not simple decryption by brute force. Instead, the attacker manipulates plaintext header flags and measures small timing differences between padding failure modes to recover bytes and then forge new encrypted messages. Because the header is not authenticated, the attacker can trigger the oracle without the key. This breaks the assumption that encryption alone protects cluster replication state.
Practical implication: require authenticated encryption for internal trust channels, not encryption without integrity.
How forged cluster messages turn into fake identities and server takeover
Once message forgery is possible, the attacker can inject fabricated session entries or principals into Tomcat's authentication store. In the SSO path, a forged cache entry maps a chosen session ID to a user identity with attacker-selected roles. In the session principal path, a forged session and principal are inserted directly into a clustered session manager. Tomcat then accepts the identity as legitimate and skips normal login checks, which can expose manager-level functions and arbitrary code execution.
Practical implication: verify that session replication cannot create or overwrite authenticated principals without independent validation.
Threat narrative
Attacker objective: The attacker aims to impersonate a trusted user inside Tomcat, bypass application access controls, and gain full server takeover.
- Entry occurs when an attacker reaches the Tomcat cluster receiver port from a network that operators assumed was trusted.
- Escalation occurs when the attacker uses the EncryptInterceptor timing oracle to decrypt or forge cluster messages without the key.
- Impact occurs when forged replication messages plant fake authentication state, bypass access controls, and enable arbitrary code execution on the server.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Trusted-cluster identity is a brittle assumption, not a security control. Tomcat's design depends on peer nodes being trustworthy, yet CVE-2026-29146 shows that a reachable cluster port can become an identity injection path. Encryption does not rescue the model when integrity and peer authentication are missing. The practitioner conclusion is that internal replication must be treated as part of the access plane, not as benign backend traffic.
Session replication becomes an authentication control when the application makes it one. In this case, the platform trusts replicated principals and roles as though they were issued by a real authentication system. That means a flaw in cluster messaging can override login logic, role assignment, and downstream authorization in one move. The field lesson is that application clusters can quietly become identity issuers if their trust model is too loose.
Identity blast radius expands when network reachability and session trust are coupled. This breach worked because network access to the cluster port was enough to influence identity state at runtime. The same pattern appears whenever session data, principals, or tokens are accepted from an internal channel without separate validation. Practitioners should treat replicated identity data as high-risk control material, not implementation detail.
Cryptographic protection without authenticated peers creates a false sense of control. The EncryptInterceptor flaw illustrates a failure mode where teams believe encryption closes the door, but the protocol still accepts attacker-controlled cluster behaviour. That is a governance gap, not merely a code defect, because it reflects an assumption that trust can be inferred from network placement. The implication is that security reviews must challenge whether a control actually authenticates the actor, not just the payload.
Tomcat CVE-2026-29146 is a clear example of session-state trust without lifecycle verification. The forged identity persists because the platform does not revalidate how the session was created before honoring it. That breaks the premise that authenticated state is always the product of a legitimate login flow. The practitioner takeaway is to treat session provenance as a control requirement, not an implementation footnote.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- That matters because the broader identity lesson here is control over provenance and lifecycle, not just credential secrecy, as detailed in Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
What this signals
Trusted replication channels are becoming identity-critical control points. As application stacks concentrate more authentication logic inside cluster services, security teams need to treat internal message paths as part of the identity perimeter. The structural risk is not limited to Tomcat: any system that replicates principals, sessions, or tokens can inherit the same trust-boundary problem unless the channel itself is authenticated and monitored.
Identity governance must extend into application runtime assumptions. A Tomcat cluster can be patched, yet the programme still fails if teams believe internal network placement equals trust. That is why the governance question now is whether the application can create or overwrite authenticated state without an independent trust check. In the NHI context, the same logic applies when machine identities are accepted from internal systems without lifecycle and provenance controls.
With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, identity compromise is increasingly a systems problem rather than a single credential problem. The programme implication is to align application trust paths with zero trust design and to validate them against NIST Cybersecurity Framework 2.0.
For practitioners
- Constrain cluster ports to trusted paths Keep Tomcat cluster receiver traffic on private networks, VPNs, or equivalent segmented paths, and verify that no untrusted segment can reach replication ports.
- Require authenticated encryption for replication channels Use authenticated encryption for any internal channel that carries session or identity state, and do not treat AES-CBC encryption alone as a sufficient safeguard.
- Audit session and principal replication controls Review whether clustered session managers can accept forged principals, overwrite roles, or create authenticated state without independent validation before login logic runs.
- Map application clustering into IAM threat models Include session replication, SSO cache sharing, and cluster message handling in identity risk reviews so application internals are assessed as part of the access boundary.
- Test for trust-boundary failure under network reachability Validate that a host with only cluster-port access cannot influence authentication state, even if it can send valid-looking internal messages.
Key takeaways
- CVE-2026-29146 shows that a reachable Tomcat cluster port can be enough to alter authentication state if peer trust is not enforced.
- The impact is severe because forged cluster messages can inject identities, bypass access controls, and lead to arbitrary code execution.
- Authenticated encryption, strict network segmentation, and validation of session provenance are the controls that limit this failure mode.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Forged cluster identities show why non-human trust boundaries must be authenticated. |
| NIST CSF 2.0 | PR.AC-4 | The flaw bypasses access controls through trusted internal identity state. |
| NIST Zero Trust (SP 800-207) | SC-7 | The exploit depends on over-trusted internal network reachability. |
Map cluster replication into access control reviews and verify trust assumptions in internal channels.
Key terms
- Cluster authentication state: The cached identity information a clustered application uses to decide whether a request is already authenticated. In Tomcat-style architectures, this state may be replicated between nodes, which makes it a high-value target because manipulating it can bypass the normal login flow and inherit the application’s access decisions.
- Padding oracle attack: An attack that uses differences in how a system responds to malformed encrypted data to recover plaintext or forge valid ciphertext. The key weakness is not the encryption algorithm alone, but the error handling or timing behaviour that leaks enough information for an attacker to reconstruct trusted messages.
- Session principal injection: The act of inserting a fabricated user identity and role set into an application session so the system treats the attacker as an authenticated user. In clustered environments, this can happen through replication paths if the platform accepts identity state without independent validation.
- Trust boundary: The point where a system should stop assuming a caller, message, or node is legitimate without verification. In this article’s context, the trust boundary is not the login screen alone, but also the internal cluster channel that can influence authentication state and authorization outcomes.
What's in the full article
Oligo Security's full research covers the exploitation details this post intentionally leaves at a higher level:
- Step-by-step exploit conditions for CVE-2026-29146 across clustered Tomcat deployments
- Technical breakdown of the EncryptInterceptor timing oracle and message-forgery path
- Affected version guidance and the specific 11.0.21 remediation boundary
- Operational mitigation options for environments that cannot upgrade immediately
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-23.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org