## https://sploitus.com/exploit?id=842CCA4A-BD4C-5FC6-B699-7C1C4593B59D
# CVE-2026-34486
EncryptInterceptor fail-open bypass in Apache Tomcat Tribes clustering leading to unauthenticated RCE via Java deserialization.
Affected: 11.0.19+, 10.1.53+, 9.0.116+.
Fixed in: 11.0.21, 10.1.54, 9.0.117.
Found and reported by Bartlomiej Dmitruk ([striga.ai](https://striga.ai)).
Writeup: https://striga.ai/research/tomcat-tribes-unauth-rce
## Requirements
- Docker
- Java 21
- Python 3
## Usage
One-command reproduction:
```sh
bash run.sh
```
This builds the Docker image, starts Tomcat 11.0.20 with EncryptInterceptor, generates a CC6 gadget chain payload, sends it unencrypted to the Tribes receiver on port 4000, and verifies RCE by checking for `/tmp/pwned` inside the container.
## Cleanup
```sh
docker rm -f tomcat-encrypt-poc
```