Share
## https://sploitus.com/exploit?id=842CCA4A-BD4C-5FC6-B699-7C1C4593B59D
# CVE-2026-34486

EncryptInterceptor fail-open bypass in Apache Tomcat Tribes clustering leading to unauthenticated RCE via Java deserialization.

Affected: 11.0.19+, 10.1.53+, 9.0.116+.
Fixed in: 11.0.21, 10.1.54, 9.0.117.

Found and reported by Bartlomiej Dmitruk ([striga.ai](https://striga.ai)).

Writeup: https://striga.ai/research/tomcat-tribes-unauth-rce

## Requirements

- Docker
- Java 21
- Python 3

## Usage

One-command reproduction:

```sh
bash run.sh
```

This builds the Docker image, starts Tomcat 11.0.20 with EncryptInterceptor, generates a CC6 gadget chain payload, sends it unencrypted to the Tribes receiver on port 4000, and verifies RCE by checking for `/tmp/pwned` inside the container.

## Cleanup

```sh
docker rm -f tomcat-encrypt-poc
```