CVE-2026-34486: Apache Tomcat Tribes Regression Creates Unauthenticated RCE Path

CVE-2026-34486 is a regression in Apache Tomcat Tribes where EncryptInterceptor can forward attacker-controlled bytes after decryption failures, allowing those bytes to reach an unfiltered Java deserialization path and potentially enable unauthenticated RCE on affected Tomcat 9.0.116, 10.1.53, and 11.0.20 installations that have Tribes clustering and EncryptInterceptor enabled; fixes are available in 9.0.117, 10.1.54, and 11.0.21 and defenders should patch or restrict access to the Tribes receiver (TCP/4000) and add detection for decrypt failure logs.