striga-ai/cve-2026-34486 — explained in plain English
Analysis updated 2026-05-18
Verify whether your own Tomcat cluster deployment is vulnerable to CVE-2026-34486
Study how a fail open encryption bug leads to unauthenticated remote code execution
Test patched Tomcat versions to confirm the fix works
Learn how Java deserialization gadget chains are used in exploits
| striga-ai/cve-2026-34486 | margele/openzen | redis/docs | |
|---|---|---|---|
| Stars | 61 | 56 | 69 |
| Language | Java | Java | Java |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 3/5 | 5/5 | 2/5 |
| Audience | developer | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Docker, Java 21, and Python 3, only meant to be run against a disposable local container.
This repository is a proof of concept for a specific security vulnerability, CVE-2026-34486, found in Apache Tomcat, a widely used Java web server. The bug lives in a component called Tribes, which Tomcat uses to let multiple server instances talk to each other in a cluster. Tribes has an EncryptInterceptor feature meant to encrypt that traffic between servers, but the researchers found a fail open flaw: if an attacker sends unencrypted data instead, the interceptor lets it through rather than rejecting it. Combined with how Tomcat deserializes incoming Java objects, this allows an attacker with network access to the cluster port to run arbitrary code on the server without needing any login credentials. The affected versions are Tomcat 11.0.19 and later, 10.1.53 and later, and 9.0.116 and later. The issue is fixed in versions 11.0.21, 10.1.54, and 9.0.117, so anyone running an affected version should upgrade. The vulnerability was found and reported by a researcher at striga.ai, and the repository links to their full technical writeup for background on how the bug was discovered. To use the repository, you need Docker, Java 21, and Python 3 installed. Running a single script, run.sh, does everything automatically: it builds a Docker image, starts a vulnerable Tomcat 11.0.20 instance with EncryptInterceptor enabled, crafts a Java deserialization gadget chain payload, and sends it unencrypted to the Tribes clustering port. It then checks for a marker file inside the container to confirm that arbitrary code execution succeeded. A cleanup command is provided to remove the Docker container afterward. This project is intended for security researchers, penetration testers, and Tomcat administrators who want to verify whether their own deployments are vulnerable and understand the mechanics of the flaw, not as a tool for attacking systems without authorization.
A proof of concept that shows how a flawed encryption check in Apache Tomcat clustering lets an attacker run code on the server without logging in.
Mainly Java. The stack also includes Java, Apache Tomcat, Docker.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.