A flaw exists in Apache Tomcat’s handling of OCSP checks when the Forwarding Failure Mode (FFM) is used and soft-fail is disabled. In certain scenarios the client certificate authentication process does not fail as expected, allowing an attacker to present a valid or invalid certificate and still be granted authenticated access. The primary effect is an unauthorized elevation of privileges or the ability to impersonate a trusted client, thereby compromising the confidentiality and integrity of protected resources. The weakness underlying this issue is improper authentication, which is cataloged as CWE-287.

Apache Tomcat versions 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116 are impacted. Users running any of these releases should consider them vulnerable until the fix is applied.

The vulnerability provides an authentication bypass that can be exploited over the network, as interaction with the server requires no privileged user permissions. The exact CVSS score is not supplied in the available data, and EPSS information is lacking, but the nature of the flaw—unauthorized authentication—suggests a high potential for exploitation. The issue is not currently listed in the CISA Known Exploited Vulnerabilities catalog, indicating that publicly known exploits may not yet exist, yet the use case for an attacker to forge certificates remains feasible. The attack vector is likely external network traffic directed at the Tomcat service, and the attacker must generate or obtain a certificate that passes the server’s validation, though the server’s filters may inadvertently accept compromised certificates due to the bug.