CVE-2026-29145 - Vulnerability Details

- Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Published: 2026-04-09

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue lies in OCSP handling for client‑certificate authentication in Apache Tomcat and its native library. When OCSP soft‑fail is disabled, the validation routine may allow certain certificates that should fail, causing the authentication process to succeed even though the certificate is not trusted. This flaw effectively bypasses client‑side authentication, enabling an attacker to present a forged or expired certificate and gain authorized access to protected applications. The result can be disclosure of confidential data, modification of data, or denial of services that rely on proper client authentication.

Affected Systems

Affected products are Apache Tomcat versions 9.0.83 through 9.0.115, 10.1.0‑M7 through 10.1.52, and 11.0.0‑M1 through 11.0.18. Apache Tomcat Native is vulnerable in versions 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13. The vendor has released fixes in Tomcat 9.0.116, 10.1.53, and 11.0.20, and Tomcat Native 1.3.7 and 2.0.14.

Risk and Exploitability

The CVSS score is 9.1, indicating high severity. EPSS is under 1 %, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur over a publicly reachable network where the server is configured for client‑certificate authentication with OCSP soft‑fail disabled; an attacker could craft a request with a manipulated certificate chain to trigger the bypass. Because the flaw is purely in verification logic, no additional privileges are required beyond the ability to send a request to the affected server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Tomcat

unaffected

Version	Status	Constraints
`11.0.0-M1`	affected	≤ 11.0.18
`10.1.0-M7`	affected	≤ 10.1.52
`9.0.83`	affected	≤ 9.0.115
`0`	unaffected	≤ 8.5.100

Apache Software Foundation

Apache Tomcat Native

unaffected

Version	Status	Constraints
`1.1.23`	affected	≤ 1.1.34
`1.2.0`	affected	≤ 1.2.39
`1.3.0`	affected	≤ 1.3.6
`2.0.0`	affected	≤ 2.0.13

Configuration 1 [-]

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:10.1.0:-::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
	cpe:2.3:a:apache:tomcat_native::::::::
	cpe:2.3:a:apache:tomcat_native::::::::

No data.

Vendor Product Confidence Versions

Apache

Tomcat

100%

Version	Status	Scheme	Platform
`[11.0.0-M1,11.0.18]`	affected	semver	—
`[10.1.0-M7,10.1.52]`	affected	semver	—
`[9.0.83,9.0.115]`	affected	semver	—
`[0,8.5.100]`	unaffected	generic	—

Apache

Tomcat Native

100%

Version	Status	Scheme	Platform
`[1.1.23,1.1.34]`	affected	semver	—
`[1.2.0,1.2.39]`	affected	semver	—
`[1.3.0,1.3.6]`	affected	semver	—
`[2.0.0,2.0.13]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor patch by upgrading Apache Tomcat to 9.0.116, 10.1.53, or 11.0.20 and upgrading Tomcat Native to 1.3.7 or 2.0.14.
Verify the OCSP soft‑fail configuration to ensure it matches the recommended default and that client certificates are fully validated.
If an upgrade cannot be performed immediately, temporarily disable client‑certificate authentication or re‑enable OCSP soft‑fail until the patch is applied.
Monitor authentication logs for abnormal activity and configure intrusion detection to flag forged certificate attempts.

Generated by OpenCVE AI on April 14, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-95jq-rwvf-vjx4	Apache Tomcat: CLIENT_CERT authentication does not fail as expected

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/09/23
https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz
https://nvd.nist.gov/vuln/detail/CVE-2026-29145
https://www.cve.org/CVERecord?id=CVE-2026-29145

History

Tue, 14 Apr 2026 13:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:10.1.0:-:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone17:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone18:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone20:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat_native::::::::

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-296

Fri, 10 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Fri, 10 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-303
References		https://nvd.nist.gov/vuln/detail/CVE-2026-29145 https://www.cve.org/CVERecord?id=CVE-2026-29145
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

Fri, 10 Apr 2026 10:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-287 CWE-296

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache tomcat Apache tomcat Native
Vendors & Products		Apache Apache tomcat Apache tomcat Native

Fri, 10 Apr 2026 00:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/09/23

Thu, 09 Apr 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Title		Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
References		https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

Subscriptions

Apache Tomcat Tomcat Native

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-09T19:20:24.601Z

Updated: 2026-04-10T18:11:31.014Z

Reserved: 2026-03-04T09:52:45.179Z

Link: CVE-2026-29145

Vulnrichment

Updated: 2026-04-09T23:15:49.788Z

NVD

Status : Analyzed

Published: 2026-04-09T20:16:24.447

Modified: 2026-04-14T13:22:28.357

Link: CVE-2026-29145

Redhat

Severity : Moderate

Publid Date: 2026-04-09T19:20:24Z

Links: CVE-2026-29145 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:36:52Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object