Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.

Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Published: 2026-04-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client Certificate Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

Apache Tomcat can fail to reject certain client certificates when soft‑fail is disabled and the Fallback‑First‑Mechanism (FFM) is active. The server may accept an invalid or forged certificate and still establish an authenticated session, effectively bypassing the intended security control. This weakness is a classic authentication bypass, corresponding to CWE‑287, and is further aggravated by incorrect handling of configuration settings (CWE‑303).

Affected Systems

The issue affects Apache Tomcat versions 11.0.0‑M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. All milestone releases of 11.0.0 from M14 to M26 are also impacted. Users running any of these releases should verify whether client‑certificate authentication is enabled and whether FFM is in use.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an exploit likelihood of less than 1 %. It is not listed in the known exploited vulnerabilities catalog and no public exploits are reported. Attackers would need the ability to initiate an HTTPS connection with client‑certificate authentication enabled and supply a certificate that triggers the flawed verification logic. While the risk remains moderate, timely remediation is recommended.

Generated by OpenCVE AI on April 14, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to version 11.0.21, 10.1.54, 9.0.117 or later.
  • If an immediate upgrade is not possible, disable the Fallback‑First‑Mechanism or enable soft‑fail to ensure proper certificate rejection.
  • Validate that client‑certificate authentication is required and correctly configured, allowing only trusted certificates.
  • Monitor authentication logs for unexpected success events and confirm the certificate chains.

Generated by OpenCVE AI on April 14, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-24j9-x2wg-9qv6 Apache Tomcat: CLIENT_CERT authentication does not fail as expected
History

Tue, 14 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Fri, 10 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache tomcat
Vendors & Products Apache
Apache tomcat

Fri, 10 Apr 2026 00:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Title Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
References

Subscriptions

Apache Tomcat
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T14:22:31.310Z

Reserved: 2026-03-30T08:34:56.185Z

Link: CVE-2026-34500

cve-icon Vulnrichment

Updated: 2026-04-09T23:15:55.928Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:25.330

Modified: 2026-04-14T12:43:28.680

Link: CVE-2026-34500

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-09T19:36:52Z

Links: CVE-2026-34500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:45Z

Weaknesses