CVE-2026-34500

CWE-287 — Improper Authentication CWE-3038 documents7 sources

Severity

6.5MEDIUM

No vector

EPSS

0.1%

top 84.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat

Timeline

PublishedApr 9

Latest updateApr 10

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Affected Packages4 packages

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M14 — 11.0.20+2

▶Mavenorg.apache.tomcat:tomcat9.0.92 — 9.0.117+2

▶Mavenorg.apache.tomcat:tomcat-catalina9.0.92 — 9.0.117+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.92 — 9.0.117+2

🔴Vulnerability Details

VulDB

Apache Tomcat up to 9.0.116/10.1.53/11.0.20 CLIENT_CERT Authentication improper authentication↗2026-04-09

▶

CVEList

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled↗2026-04-09

▶

GHSA

GHSA-24j9-x2wg-9qv6: CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat↗2026-04-09

▶

GHSA

Apache Tomcat: CLIENT_CERT authentication does not fail as expected↗2026-04-09

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration↗2026-04-09

▶

💬Community

Bugzilla

CVE-2026-34500 tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration [fedora-all]↗2026-04-10

▶

Bugzilla

CVE-2026-34500 Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration↗2026-04-09

▶