{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34500", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-30T08:34:56.185Z", "datePublished": "2026-04-09T19:36:52.857Z", "dateUpdated": "2026-04-10T14:22:31.310Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.20", "status": "affected", "version": "11.0.0-M14", "versionType": "semver"}, {"lessThanOrEqual": "10.1.53", "status": "affected", "version": "10.1.22", "versionType": "semver"}, {"lessThanOrEqual": "9.0.116", "status": "affected", "version": "9.0.92", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.</p>"}], "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:52.857Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:55.928Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:21:50.556349Z", "id": "CVE-2026-34500", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:22:31.310Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:55.928Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:21:50.556349Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:20:41.381Z"}}], "cna": {"title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M14", "versionType": "semver", "lessThanOrEqual": "11.0.20"}, {"status": "affected", "version": "10.1.22", "versionType": "semver", "lessThanOrEqual": "10.1.53"}, {"status": "affected", "version": "9.0.92", "versionType": "semver", "lessThanOrEqual": "9.0.116"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:52.857Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34500", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:22:31.310Z", "dateReserved": "2026-03-30T08:34:56.185Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:36:52.857Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."}], "id": "CVE-2026-34500", "lastModified": "2026-04-10T15:16:24.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:25.330", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration", "id": "2457043", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457043"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Apache Tomcat. This vulnerability allows an attacker to bypass client certificate authentication in specific scenarios when the 'soft fail' option is disabled and the Flexible Failure Mechanism (FFM) is active. This could result in unauthorized access to sensitive resources that are intended to be protected by client certificates."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that client certificate authentication is configured to properly handle failures. If the Flexible Failure Mechanism (FFM) is not critical for your deployment, consider disabling it. Alternatively, ensure the 'soft fail' option is enabled for client certificate authentication to prevent bypass scenarios. A restart of the Apache Tomcat service will be required for these changes to take effect."}, "name": "CVE-2026-34500", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:36:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34500\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34500\nhttps://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"], "statement": "This Moderate impact flaw in Apache Tomcat allows for client certificate authentication bypass. This occurs when 'soft fail' is disabled and the Flexible Failure Mechanism (FFM) is active, potentially granting unauthorized access to resources protected by client certificates. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Fedora, are affected if configured with Apache Tomcat in this specific manner.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M14,11.0.20]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.22,10.1.53]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.92,9.0.116]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T21:22:39.278957+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117, which contain the fix for this authentication issue."], "summary": {"action": "Patch Immediately", "impact": "Authentication bypass"}, "threat_synthesis": {"affected_systems": "Apache Tomcat versions 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116 are impacted. Users running any of these releases should consider them vulnerable until the fix is applied.", "description_and_impact": "A flaw exists in Apache Tomcat\u2019s handling of OCSP checks when the Forwarding Failure Mode (FFM) is used and soft-fail is disabled. In certain scenarios the client certificate authentication process does not fail as expected, allowing an attacker to present a valid or invalid certificate and still be granted authenticated access. The primary effect is an unauthorized elevation of privileges or the ability to impersonate a trusted client, thereby compromising the confidentiality and integrity of protected resources. The weakness underlying this issue is improper authentication, which is cataloged as CWE-287.", "risk_and_exploitability": "The vulnerability provides an authentication bypass that can be exploited over the network, as interaction with the server requires no privileged user permissions. The exact CVSS score is not supplied in the available data, and EPSS information is lacking, but the nature of the flaw\u2014unauthorized authentication\u2014suggests a high potential for exploitation. The issue is not currently listed in the CISA Known Exploited Vulnerabilities catalog, indicating that publicly known exploits may not yet exist, yet the use case for an attacker to forge certificates remains feasible. The attack vector is likely external network traffic directed at the Tomcat service, and the attacker must generate or obtain a certificate that passes the server\u2019s validation, though the server\u2019s filters may inadvertently accept compromised certificates due to the bug."}}}}, "created": "2026-04-10T08:38:46.890993+00:00", "updated": "2026-04-10T09:29:30.023549+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"], "weaknesses": ["CWE-287"]}