| Verdict: DocuShare 7.5, 7.6, 7.7, and 8.0 are NOT affected by CVE-2026-34483, CVE-2026-34486, or CVE-2026-34487. No action is required. |
Issue Summary
Three security vulnerabilities affecting Apache Tomcat were published in early 2026 (CVE-2026-34483, CVE-2026-34486, and CVE-2026-34487). If your organization is performing a security assessment or responding to vulnerability scanner findings, this article explains whether these CVEs affect DocuShare.
DocuShare bundles Apache Tomcat as its embedded web application server. Xerox has investigated the impact of all three CVEs against DocuShare 7.5, 7.6, 7.7, and 8.0.
| Note: The CVE analysis in this article applies to DocuShare installations running Apache Tomcat 9.0.106. Depending on your DocuShare version, a Tomcat patch may need to have been applied to reach Tomcat 9.0.106. See the 'Apache Tomcat Version Reference' section for details. |
Vulnerability Summary
The table below summarizes each CVE, the Tomcat versions it affects, and whether DocuShare is impacted:
| CVE | Affected Tomcat Versions | Trigger Condition | Affects DocuShare? |
| CVE-2026-34486 | 9.0.116 only (also 10.1.53, 11.0.20) | Tomcat EncryptInterceptor cluster feature | No |
| CVE-2026-34487 | 9.0.13 - 9.0.116 (also 10.1.x, 11.0.x) | Cloud/Kubernetes cluster membership provider | No |
| CVE-2026-34483 | 9.0.40 - 9.0.116 (also 10.1.x, 11.0.x) | JsonAccessLogValve configured in server.xml | No |
| DocuShare 7.5 / 7.6 / 7.7 / 8.0 | Tomcat 9.0.106 (after Tomcat patch) | Does not use clustering or JsonAccessLogValve | Not Affected |
CVE Analysis
CVE-2026-34486 - Apache Tomcat: EncryptInterceptor Information Disclosure
https://nvd.nist.gov/vuln/detail/CVE-2026-34486
CVE-2026-34486 affects only Apache Tomcat version 9.0.116 (as well as 10.1.53 and 11.0.20 on their respective branches). The vulnerability requires the Tomcat EncryptInterceptor to be enabled as part of a Tomcat cluster configuration.
DocuShare is not affected for two independent reasons:
- Version range: Tomcat 9.0.106 is earlier than the affected version 9.0.116. The vulnerability was introduced in 9.0.116 and does not exist in 9.0.106.
- Feature not in use: DocuShare does not use Tomcat clustering or the EncryptInterceptor component. Even on a version that contained the flaw, the vulnerable code path would not be executed.
| CVE-2026-34486: Not applicable to DocuShare. No action required. |
CVE-2026-34487 - Apache Tomcat: Cloud/Kubernetes Cluster Membership Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-34487
CVE-2026-34487 affects Apache Tomcat versions 9.0.13 through 9.0.116, 10.1.0-M1 through 10.1.53, and 11.0.0-M1 through 11.0.20. The vulnerability is triggered only when Tomcat is configured to use a cloud or Kubernetes-based cluster membership provider.
Tomcat 9.0.106 (the version used by DocuShare after applying the applicable Tomcat patch) falls within the version range listed for this CVE. However, DocuShare does not use Tomcat clustering in any form. The cloud and Kubernetes cluster membership providers are not enabled or configured in a DocuShare installation. The vulnerable code path is therefore never executed.
| CVE-2026-34487: Not applicable to DocuShare. No action required. |
CVE-2026-34483 - Apache Tomcat: JsonAccessLogValve Log Injection
https://nvd.nist.gov/vuln/detail/CVE-2026-34483
CVE-2026-34483 affects Apache Tomcat versions 9.0.40 through 9.0.116, 10.1.0-M1 through 10.1.53, and 11.0.0-M1 through 11.0.20. The vulnerability is triggered only when the JsonAccessLogValve is configured and in use in the Tomcat server configuration.
Tomcat 9.0.106 (the version used by DocuShare after applying the applicable Tomcat patch) falls within the version range listed for this CVE. However, DocuShare does not configure or use the JsonAccessLogValve component. The vulnerable code path is therefore never executed in a standard DocuShare installation.
| CVE-2026-34483: Not applicable to DocuShare. No action required. |
Apache Tomcat Version Reference
The CVE analysis in this article is based on Apache Tomcat 9.0.106, which is the version in use on a fully patched DocuShare installation. Older DocuShare versions ship with an earlier Tomcat build and require a Tomcat patch to be applied to reach version 9.0.106. The Tomcat patch is available from the DocuShare support portal for each supported release.
| DocuShare Version | Tomcat Version (after Tomcat patch) |
| DocuShare 7.5 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.6 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.7 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 8.0 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| Note: If you have not yet applied the Tomcat patch for your DocuShare version, it is recommended to do so as part of general maintenance. Contact Xerox DocuShare Support for the appropriate patch for your version. |
Vulnerability Scanner Findings
If your organization's vulnerability scanner reports CVE-2026-34483, CVE-2026-34486, or CVE-2026-34487 based on the Tomcat version string alone — without evaluating the required trigger conditions — this article can be used as supporting documentation to demonstrate that DocuShare is not at risk.
Key points for scanner remediation workflows:
- CVE-2026-34486 and CVE-2026-34483 require specific Tomcat features (EncryptInterceptor or JsonAccessLogValve) that DocuShare does not configure or use.
- CVE-2026-34486 additionally requires Tomcat 9.0.116, which is a higher version than DocuShare's bundled Tomcat 9.0.106.
- CVE-2026-34487 requires Tomcat clustering with a cloud/Kubernetes membership provider, which is not part of any DocuShare deployment.
Conclusion
Xerox DocuShare has reviewed CVE-2026-34483, CVE-2026-34486, and CVE-2026-34487 and confirmed that DocuShare 7.5, 7.6, 7.7, and 8.0 are not affected by any of them. No patches, configuration changes, or workarounds are required for DocuShare in response to these CVEs.