## https://sploitus.com/exploit?id=46BD95BB-4026-5FF1-BFF8-FDB0129FA958
# Lab Description
This lab focuses on **CVE-2026-34486**, a high-severity vulnerability affecting the Apache Tomcat clustering component (`catalina-tribes`). The vulnerability arises from a flawed error-handling regression in the `EncryptInterceptor`, introduced as a side effect of the patch for CVE-2026-29146. Learners will set up a vulnerable Tomcat instance with clustering enabled, craft a malicious Java deserialization payload using `ysoserial`, and deliver it to the unprotected Tribes receiver port to achieve unauthenticated Remote Code Execution (RCE).
# Overview of CVE-2026-34486
CVE-2026-34486 is a regression vulnerability in the Apache Tomcat `EncryptInterceptor` component (part of the Tribes cluster framework). When a cluster message is received and decryption fails โ for example because the incoming bytes were never encrypted to begin with โ the interceptor is supposed to discard the message. Instead, due to a logic error introduced while patching CVE-2026-29146, the raw unencrypted bytes are silently forwarded downstream and passed to `XByteBuffer.deserialize()`, which internally calls `ObjectInputStream.readObject()`. Because no authentication is required on the Tribes receiver port (TCP 4000 by default), a remote unauthenticated attacker can send a crafted serialized Java object directly to that port and, if the right gadget classes are on the classpath (e.g., `commons-collections`), achieve arbitrary code execution on the target server.
**CVSS Score:** 7.5 (High)
**Affected versions:**
- Apache Tomcat 9.0.0-M1 through 9.0.116
- Apache Tomcat 10.1.0-M1 through 10.1.53
- Apache Tomcat 11.0.0-M1 through 11.0.20
**Fixed in:** 9.0.117 / 10.1.54 / 11.0.21
Sources:
- Apache security advisory โ https://tomcat.apache.org/security-9.html
- CVE entry โ https://vulners.com/cve/CVE-2026-34486
# MITRE ATT&CK Techniques Used
The following techniques are exercised during the exploitation of this CVE. The mapping was built using the MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/).
| Tactic | ID | Technique |
|-------------------|---------|------------------------------------------|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1059.004 | Unix Shell (via RCE callback) |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
A reference Navigator layer file is available in `setup/tools/mitre_layer.json`.
# Sources
- CVE-2026-34486 โ https://vulners.com/cve/CVE-2026-34486
- Apache Tomcat Security Advisories โ https://tomcat.apache.org/security-9.html
- MITRE ATT&CK T1190 โ https://attack.mitre.org/techniques/T1190/
- MITRE ATT&CK T1203 โ https://attack.mitre.org/techniques/T1203/
- ysoserial project โ https://github.com/frohoff/ysoserial
- Java deserialization gadget chain overview โ https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
- Apache Tribes clustering documentation โ https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html
- Oligo Security analysis of CVE-2026-34486 โ https://www.oligo.security/blog/apache-tomcat-cve-2026-34486