explaingit

striga-ai/cve-2026-34486

Analysis updated 2026-05-18

61JavaAudience · developerComplexity · 3/5Setup · moderate

TLDR

A proof of concept that shows how a flawed encryption check in Apache Tomcat clustering lets an attacker run code on the server without logging in.

Mindmap

mindmap
  root((CVE-2026-34486))
    What it does
      Tomcat Tribes bug
      Fail open encryption
      Unauthenticated RCE
    Tech stack
      Java
      Apache Tomcat
      Docker
    Use cases
      Vulnerability verification
      Security research
      Patch testing
    Audience
      Security researchers
      Tomcat administrators

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify whether your own Tomcat cluster deployment is vulnerable to CVE-2026-34486

USE CASE 2

Study how a fail open encryption bug leads to unauthenticated remote code execution

USE CASE 3

Test patched Tomcat versions to confirm the fix works

USE CASE 4

Learn how Java deserialization gadget chains are used in exploits

What is it built with?

JavaApache TomcatDockerPython

How does it compare?

striga-ai/cve-2026-34486margele/openzenredis/docs
Stars615669
LanguageJavaJavaJava
Setup difficultymoderatehardmoderate
Complexity3/55/52/5
Audiencedeveloperresearcherdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Docker, Java 21, and Python 3, only meant to be run against a disposable local container.

In plain English

This repository is a proof of concept for a specific security vulnerability, CVE-2026-34486, found in Apache Tomcat, a widely used Java web server. The bug lives in a component called Tribes, which Tomcat uses to let multiple server instances talk to each other in a cluster. Tribes has an EncryptInterceptor feature meant to encrypt that traffic between servers, but the researchers found a fail open flaw: if an attacker sends unencrypted data instead, the interceptor lets it through rather than rejecting it. Combined with how Tomcat deserializes incoming Java objects, this allows an attacker with network access to the cluster port to run arbitrary code on the server without needing any login credentials. The affected versions are Tomcat 11.0.19 and later, 10.1.53 and later, and 9.0.116 and later. The issue is fixed in versions 11.0.21, 10.1.54, and 9.0.117, so anyone running an affected version should upgrade. The vulnerability was found and reported by a researcher at striga.ai, and the repository links to their full technical writeup for background on how the bug was discovered. To use the repository, you need Docker, Java 21, and Python 3 installed. Running a single script, run.sh, does everything automatically: it builds a Docker image, starts a vulnerable Tomcat 11.0.20 instance with EncryptInterceptor enabled, crafts a Java deserialization gadget chain payload, and sends it unencrypted to the Tribes clustering port. It then checks for a marker file inside the container to confirm that arbitrary code execution succeeded. A cleanup command is provided to remove the Docker container afterward. This project is intended for security researchers, penetration testers, and Tomcat administrators who want to verify whether their own deployments are vulnerable and understand the mechanics of the flaw, not as a tool for attacking systems without authorization.

Copy-paste prompts

Prompt 1
Explain step by step what run.sh does in this CVE-2026-34486 proof of concept.
Prompt 2
Walk me through why the EncryptInterceptor fail open bug allows unauthenticated code execution.
Prompt 3
Help me check if my Tomcat cluster is running an affected version and needs the CVE-2026-34486 patch.
Prompt 4
Explain what a Java deserialization gadget chain is using this repository as an example.

Frequently asked questions

What is cve-2026-34486?

A proof of concept that shows how a flawed encryption check in Apache Tomcat clustering lets an attacker run code on the server without logging in.

What language is cve-2026-34486 written in?

Mainly Java. The stack also includes Java, Apache Tomcat, Docker.

How hard is cve-2026-34486 to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cve-2026-34486 for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.