CVE-2026-24734Improper Input Validation in Apache Tomcat

CWE-20Improper Input ValidationCWE-295Improper Certificate Validation8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 70.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apache TomcatApache Tomcat NativeApache Software Foundation Apache Tomcat+1 more
Timeline
PublishedFeb 17

Description

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDapache/tomcat_native1.3.01.3.5+1
NVDapache/tomcat9.0.839.0.115+4
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.17+2

🔴Vulnerability Details

4
GHSA
Apache Tomcat has an Improper Input Validation vulnerability2026-02-17
OSV
CVE-2026-24734: Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat2026-02-17
OSV
Apache Tomcat has an Improper Input Validation vulnerability2026-02-17
CVEList
Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass2026-02-17

📋Vendor Advisories

2
Red Hat
tomcat: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation2026-02-17
Debian
CVE-2026-24734: tomcat10 - Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-24734 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-24734 — Improper Input Validation in Apache | cvebase