striga-ai / CVE-2026-34486

Public

Apache Tomcat Tribes EncryptInterceptor fail-open bypass, unauthenticated RCE PoC

100% credibility

Found May 12, 2026 at 42 stars -- GitGems finds repos before they trend. Get early access to the next one.

AI Analysis

Java

AI Summary

This project offers a controlled demonstration of a security flaw in Apache Tomcat's team communication feature that lets unauthorized users run code remotely.

How It Works

📰 Discover the Demo

You stumble upon this project while learning about security weaknesses in popular web software.

📥 Get the Demo Files

You download the simple demo package to your computer to try it out safely.

▶️ Start the Quick Demo

You follow the easy one-command guide to launch a safe test setup of the vulnerable software.

⚡ Trigger the Test Flaw

The demo creates and sends a pretend harmful message to show how outsiders could take control.

⏳ Wait and Watch

You give it a moment while the test runs and checks if the flaw was triggered.

✅ See the Proof

The demo confirms success by showing evidence inside the test environment, helping you grasp the danger.

Sign up to see the full architecture

4 more

Star Growth

See how this repo grew from 42 to 42 stars Sign Up Free

Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose

AI-Generated Review

What is CVE-2026-34486?

This Java-based PoC demonstrates an unauthenticated remote code execution (RCE) vulnerability in Apache Tomcat Tribes clustering's EncryptInterceptor, affecting apache tomcat 11 before 11.0.21, apache tomcat 10 before 10.1.54, and apache tomcat 9 before 9.0.117—hit "fail-open" versions like 11.0.19+ via unencrypted deserialization payloads on port 4000. Run a single bash command to spin up a vulnerable Dockerized Tomcat instance (apache tomcat 11 download style), auto-generate a gadget chain, fire it off with Python, and confirm RCE by spotting a proof file inside the container. Perfect for quick repro of CVE-2026-34486 without manual apache tomcat versions juggling.

Why is it gaining traction?

Unlike scattered advisories, it delivers one-command end-to-end proof on real apache tomcat update scenarios, bypassing encryption fails in Tribes—think zero-config demo versus hunting apache tomcat 10 download exploits manually. Devs dig the self-contained Docker setup verifying RCE instantly, standing out amid Apache ecosystem noise like github apache flink or apache github kafka clustering risks. Low barrier hooks security folks fast, with 42 stars signaling early buzz.

Who should use this?

Tomcat admins auditing clusters before apache tomcat download or apache tomcat update, especially with Tribes enabled alongside apache github httpd or apache github superset. Pentesters validating patches in apache tomcat 9/10/11 envs, or researchers probing deserialization in github apache nifi, github apache iceberg, or github apache hop pipelines. Skip if you're not chasing 2026-34486 specifics.

Verdict

Grab it for dead-simple vuln repro if running affected apache tomcat versions—docs are crisp, Docker flow reliable despite 42 stars and 1.0% credibility score reflecting niche security PoC maturity. Not production-ready, but essential for patch confidence; test your setup now.

(178 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.

Stars

Forks

Followers

Base stars: 42 stars

Penalty: Very new repo (0d): -70%

Bonus: AI verified quality (100%)

Account age: 100 days

Repo age: 0 days

Updated: May 12, 2026