Skip to content

striga-ai/CVE-2026-34486

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Dockerfile
Dockerfile
 
 
GadgetGen.java
GadgetGen.java
 
 
README.md
README.md
 
 
run.sh
run.sh
 
 
send_payload.py
send_payload.py
 
 
server.xml
server.xml
 
 

Repository files navigation

CVE-2026-34486

EncryptInterceptor fail-open bypass in Apache Tomcat Tribes clustering leading to unauthenticated RCE via Java deserialization.

Affected: 11.0.19+, 10.1.53+, 9.0.116+. Fixed in: 11.0.21, 10.1.54, 9.0.117.

Found and reported by Bartlomiej Dmitruk (striga.ai).

Writeup: https://striga.ai/research/tomcat-tribes-unauth-rce

Requirements

  • Docker
  • Java 21
  • Python 3

Usage

One-command reproduction:

bash run.sh

This builds the Docker image, starts Tomcat 11.0.20 with EncryptInterceptor, generates a CC6 gadget chain payload, sends it unencrypted to the Tribes receiver on port 4000, and verifies RCE by checking for /tmp/pwned inside the container.

Cleanup

docker rm -f tomcat-encrypt-poc

About

EncryptInterceptor fail-open bypass in Apache Tomcat Tribes clustering leading to unauthenticated RCE via Java deserialization.

Resources

Readme
Activity
Custom properties

Stars

68 stars

Watchers

0 watching

Forks

13 forks
Report repository

Contributors

Languages