Apache Tomcat OCSP Validation Flaws Let CLIENT_CERT Authentication Fail Open
Apache disclosed two moderate-severity vulnerabilities, CVE-2026-29145 and CVE-2026-34500, affecting Apache Tomcat and, in one case, Apache Tomcat Native, where OCSP-based certificate validation can sometimes soft-fail even when soft-fail is disabled. In affected deployments using CLIENT_CERT authentication, this can cause certificate checks not to fail as expected, potentially allowing authentication to proceed under conditions that should have been rejected. The first flaw impacts Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13; Tomcat through 8.5.100 was listed as unaffected.
Apache said the second flaw, CVE-2026-34500, affects OCSP checking with FFM and extends to Tomcat 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. The project urged users to upgrade to fixed releases: for CVE-2026-29145, Tomcat 11.0.20, 10.1.53, or 9.0.116 and Tomcat Native 1.3.7 or 2.0.14; for CVE-2026-34500, Tomcat 11.0.21, 10.1.54, or 9.0.117. Apache credited gregk4sec with reporting CVE-2026-29145 and Haruki Oyama of Waseda University with reporting CVE-2026-34500.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache discloses CVE-2026-34500 affecting Tomcat with FFM OCSP checks
Apache disclosed CVE-2026-34500, a moderate-severity Tomcat vulnerability in which CLIENT_CERT authentication may soft-fail during OCSP checking with FFM even when soft-fail is disabled. Apache recommended upgrading to Tomcat 11.0.21, 10.1.54, or 9.0.117; the flaw was reported by Haruki Oyama of Waseda University.
Apache discloses CVE-2026-29145 in Tomcat and Tomcat Native
Apache disclosed CVE-2026-29145, a moderate-severity flaw in Apache Tomcat and Apache Tomcat Native where CLIENT_CERT authentication can fail open in some OCSP validation scenarios even when soft-fail is disabled. The issue was credited to gregk4sec, and Apache advised upgrading to Tomcat 11.0.20, 10.1.53, or 9.0.116 and Tomcat Native 1.3.7 or 2.0.14.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-29145: Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
seclists.org
Open sourceoss-sec: CVE-2026-34500: Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Recent Vulnerabilities in Apache Tomcat
Two significant vulnerabilities have been identified in Apache Tomcat, each with distinct attack vectors and impacts. CVE-2025-61795 is an improper resource shutdown or release vulnerability that can lead to a denial-of-service (DoS) condition if temporary files from multipart uploads are not cleaned up promptly, potentially exhausting disk space and exposing sensitive data. This issue affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and several end-of-life versions, with patches available in 11.0.12, 10.1.47, and 9.0.110 and later. CVE-2025-55752 is a relative path traversal vulnerability introduced by a regression in the fix for a previous bug, allowing attackers to bypass security constraints and potentially upload malicious files if specific, non-default configurations are present. This vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and certain EOL versions, with fixes in 11.0.11, 10.1.45, and 9.0.109 and later. Both vulnerabilities require prompt attention from administrators, especially those running affected Tomcat versions. The DoS vulnerability (CVE-2025-61795) can be exploited by attackers to exhaust server resources, while the path traversal flaw (CVE-2025-55752) could lead to remote code execution under specific conditions. Organizations are advised to upgrade to the latest patched versions to mitigate these risks and review their Tomcat configurations to ensure that non-default features such as HTTP PUT requests and URL rewriting are not unnecessarily enabled.
Mar 21, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026
Apache Tomcat Patches for URL Rewrite Bypass and Console Injection Vulnerabilities
Apache Tomcat released security updates addressing two critical vulnerabilities: a URL rewrite bypass (CVE-2025-55752) that could allow directory traversal and potential remote code execution (RCE) if the HTTP PUT method is enabled, and a console ANSI injection flaw (CVE-2025-55754) that could enable manipulation of log messages via escape sequences. The affected versions include Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.M11 to 9.0.108, with users and administrators urged to apply the necessary patches immediately to mitigate risk. The URL rewrite bypass vulnerability allows attackers to craft malicious requests that evade security controls, potentially leading to unauthorized file access or code execution on vulnerable servers. The console ANSI injection issue could be exploited to alter log output, possibly obscuring malicious activity or facilitating further attacks. Security advisories from both Apache and national cybersecurity authorities emphasize the importance of prompt remediation to prevent exploitation in the wild.
Mar 21, 2026