{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29145", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-04T09:52:45.179Z", "datePublished": "2026-04-09T19:20:24.601Z", "dateUpdated": "2026-04-10T18:11:31.014Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.18", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.52", "status": "affected", "version": "10.1.0-M7", "versionType": "semver"}, {"lessThanOrEqual": "9.0.115", "status": "affected", "version": "9.0.83", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "unaffected", "version": "0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "Apache Tomcat Native", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.1.34", "status": "affected", "version": "1.1.23", "versionType": "semver"}, {"lessThanOrEqual": "1.2.39", "status": "affected", "version": "1.2.0", "versionType": "semver"}, {"lessThanOrEqual": "1.3.6", "status": "affected", "version": "1.3.0", "versionType": "semver"}, {"lessThanOrEqual": "2.0.13", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "gregk4sec (https://github.com/gregk4sec)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.</p><p>Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.</p>"}], "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:20:24.601Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/23"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:49.788Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:10:50.492750Z", "id": "CVE-2026-29145", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:11:31.014Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/23"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:49.788Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-29145", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:10:50.492750Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:10:11.738Z"}}], "cna": {"title": "Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "gregk4sec (https://github.com/gregk4sec)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.18"}, {"status": "affected", "version": "10.1.0-M7", "versionType": "semver", "lessThanOrEqual": "10.1.52"}, {"status": "affected", "version": "9.0.83", "versionType": "semver", "lessThanOrEqual": "9.0.115"}, {"status": "unaffected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.5.100"}], "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache Tomcat Native", "versions": [{"status": "affected", "version": "1.1.23", "versionType": "semver", "lessThanOrEqual": "1.1.34"}, {"status": "affected", "version": "1.2.0", "versionType": "semver", "lessThanOrEqual": "1.2.39"}, {"status": "affected", "version": "1.3.0", "versionType": "semver", "lessThanOrEqual": "1.3.6"}, {"status": "affected", "version": "2.0.0", "versionType": "semver", "lessThanOrEqual": "2.0.13"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.</p><p>Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:20:24.601Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29145", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:11:31.014Z", "dateReserved": "2026-03-04T09:52:45.179Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:20:24.601Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue."}], "id": "CVE-2026-29145", "lastModified": "2026-04-10T19:16:21.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:24.447", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/23"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Authentication bypass due to CLIENT_CERT soft fail misconfiguration", "id": "2457037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457037"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Apache Tomcat and Apache Tomcat Native. When CLIENT_CERT authentication is configured with \"soft fail\" disabled, the authentication process may not correctly fail in certain scenarios. This vulnerability could allow an attacker to bypass expected client certificate authentication, potentially leading to unauthorized access to protected resources."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that CLIENT_CERT authentication is configured to strictly enforce client certificate validation. Review the Apache Tomcat conf/server.xml configuration. For SSLHostConfig or Connector elements, set the clientAuth attribute to required or ensure softFail is enabled if optional client certificate authentication is desired. A restart of the Apache Tomcat service is necessary for these configuration changes to apply."}, "name": "CVE-2026-29145", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:20:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-29145\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29145\nhttps://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"], "statement": "This Moderate vulnerability in Apache Tomcat and Apache Tomcat Native arises when CLIENT_CERT authentication is configured with \"soft fail\" disabled. This misconfiguration can lead to an authentication bypass, potentially allowing unauthorized access to protected resources. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, along with Red Hat JBoss Web Server 5 and 6, are affected if running Apache Tomcat with this specific configuration.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M1,11.0.18]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.0-M7,10.1.52]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.83,9.0.115]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,8.5.100]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.23,1.1.34]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.2.0,1.2.39]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.0,1.3.6]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Apache Tomcat Native", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat_native", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T20:51:25.169028+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to at least 11.0.20, 10.1.53, or 9.0.116 and the corresponding Tomcat Native version (1.3.7 or 2.0.14).", "Verify that the OCSP soft\u2011fail setting aligns with your security policy and re\u2011evaluate any certificates that were accepted incorrectly.", "Conduct a full audit of TLS client\u2011certificate usage to ensure no unauthorized certificates remain active."], "summary": {"action": "Immediate patch", "impact": "Improper authentication"}, "threat_synthesis": {"affected_systems": "Affected software includes Apache Tomcat versions 11.0.0\u2011M1 through 11.0.18, 10.1.0\u2011M7 through 10.1.52, and 9.0.83 through 9.0.115. Apache Tomcat Native is vulnerable in versions 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13. Upgrading to Tomcat 11.0.20, 10.1.53, or 9.0.116, and to Tomcat Native 1.3.7 or 2.0.14 resolves the issue.", "description_and_impact": "The vulnerability originates from a flaw in client\u2011certificate validation during OCSP checks. When the server is configured with OCSP soft\u2011fail disabled, it sometimes still accepts certificates that should be rejected, allowing an attacker to authenticate with a forged or otherwise invalid certificate. This bypass can grant unauthorized access to protected resources and elevate privileges, representing a critical authentication failure.", "risk_and_exploitability": "The risk is high because the flaw directly undermines authentication, a foundational security control. No CVSS or EPSS score is available, but the absence from KEV indicates it has not yet been widely exploited. The attack vector is inferred to be a TLS connection using client certificates; if an attacker supplies a certificate that passes a failed OCSP check, the server may incorrectly accept it. Therefore, exploitation requires the ability to present a client certificate to the server, which is typically limited to systems with certificate\u2011based authentication enabled."}}}}, "created": "2026-04-10T08:38:56.486550+00:00", "updated": "2026-04-10T09:29:41.422970+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat", "apache$PRODUCT$tomcat_native"], "weaknesses": ["CWE-287", "CWE-296"]}