git404hub

what is cve-2026-34486 fr?

striga-ai/cve-2026-34486 — explained in plain English

Analysis updated 2026-05-18

61JavaAudience · developerComplexity · 3/5Setup · moderate

tl;dr

A proof of concept that shows how a flawed encryption check in Apache Tomcat clustering lets an attacker run code on the server without logging in.

vibe map

mindmap
  root((CVE-2026-34486))
    What it does
      Tomcat Tribes bug
      Fail open encryption
      Unauthenticated RCE
    Tech stack
      Java
      Apache Tomcat
      Docker
    Use cases
      Vulnerability verification
      Security research
      Patch testing
    Audience
      Security researchers
      Tomcat administrators

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Verify whether your own Tomcat cluster deployment is vulnerable to CVE-2026-34486

VIBE 2

Study how a fail open encryption bug leads to unauthenticated remote code execution

VIBE 3

Test patched Tomcat versions to confirm the fix works

VIBE 4

Learn how Java deserialization gadget chains are used in exploits

what's the stack?

JavaApache TomcatDockerPython

how it stacks up fr

striga-ai/cve-2026-34486floxu1/uac-sni-spoofer-androidshivambansal96/vce_hyd
Stars616063
LanguageJavaJavaJava
Setup difficultymoderatemoderateeasy
Complexity3/53/52/5
Audiencedevelopergeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · moderate time til it works · 30min

Requires Docker, Java 21, and Python 3, only meant to be run against a disposable local container.

in plain english

This repository is a proof of concept for a specific security vulnerability, CVE-2026-34486, found in Apache Tomcat, a widely used Java web server. The bug lives in a component called Tribes, which Tomcat uses to let multiple server instances talk to each other in a cluster. Tribes has an EncryptInterceptor feature meant to encrypt that traffic between servers, but the researchers found a fail open flaw: if an attacker sends unencrypted data instead, the interceptor lets it through rather than rejecting it. Combined with how Tomcat deserializes incoming Java objects, this allows an attacker with network access to the cluster port to run arbitrary code on the server without needing any login credentials. The affected versions are Tomcat 11.0.19 and later, 10.1.53 and later, and 9.0.116 and later. The issue is fixed in versions 11.0.21, 10.1.54, and 9.0.117, so anyone running an affected version should upgrade. The vulnerability was found and reported by a researcher at striga.ai, and the repository links to their full technical writeup for background on how the bug was discovered. To use the repository, you need Docker, Java 21, and Python 3 installed. Running a single script, run.sh, does everything automatically: it builds a Docker image, starts a vulnerable Tomcat 11.0.20 instance with EncryptInterceptor enabled, crafts a Java deserialization gadget chain payload, and sends it unencrypted to the Tribes clustering port. It then checks for a marker file inside the container to confirm that arbitrary code execution succeeded. A cleanup command is provided to remove the Docker container afterward. This project is intended for security researchers, penetration testers, and Tomcat administrators who want to verify whether their own deployments are vulnerable and understand the mechanics of the flaw, not as a tool for attacking systems without authorization.

prompts (copy fr)

prompt 1
Explain step by step what run.sh does in this CVE-2026-34486 proof of concept.
prompt 2
Walk me through why the EncryptInterceptor fail open bug allows unauthenticated code execution.
prompt 3
Help me check if my Tomcat cluster is running an affected version and needs the CVE-2026-34486 patch.
prompt 4
Explain what a Java deserialization gadget chain is using this repository as an example.

Frequently asked questions

what is cve-2026-34486 fr?

A proof of concept that shows how a flawed encryption check in Apache Tomcat clustering lets an attacker run code on the server without logging in.

What language is cve-2026-34486 written in?

Mainly Java. The stack also includes Java, Apache Tomcat, Docker.

How hard is cve-2026-34486 to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cve-2026-34486 for?

Mainly developer.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.