Description
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118.

Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.
Published: 2026-06-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Apache Tomcat’s FFM connector is configured with an invalid certificate revocation list, but the system fails to abort processing or take remedial action. This flaw allows a malicious actor to supply a forged or expired client certificate that would normally be detected, enabling impersonation or unauthorized access to protected resources. The weakness is a classic case of detection of an error condition without subsequent handling, a type of flaw listed as CWE‑390.

Affected Systems

Systems running Apache Tomcat versions 11.0.0‑M1 through 11.0.22, 10.1.0‑M7 through 10.1.55, or 9.0.83 through 9.0.118 are affected. The issue is specific to the FFM based connector component within these Tomcat releases.

Risk and Exploitability

While no current exploitation metrics (EPSS) are available and the vulnerability is not in CISA’s KEV catalog, the lack of failure on CRL errors means that an attacker can potentially bypass revocation checks without detection. The attack vector is local or remote depending on the deployment of the FFM connector, and no authentication or privileged access is required to trigger the flaw. The CVSS score is not provided, but administrators should treat this as a higher‑severity issue because it permits credential forgery and could result in unauthorized data access.

Generated by OpenCVE AI on June 29, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Tomcat to a fixed release (11.0.23, 10.1.56, or 9.0.119).
  • Re‑configure the CRL settings to ensure that any invalid or missing list causes the server to reject the connection rather than proceed silently.
  • Validate certificate paths externally or employ a separate validation component that enforces stricter revocation policies.

Generated by OpenCVE AI on June 29, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.
Title Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector
Weaknesses CWE-390
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-29T22:24:26.203Z

Reserved: 2026-06-09T14:08:56.764Z

Link: CVE-2026-53434

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:30:05Z

Weaknesses
  • CWE-390

    Detection of Error Condition Without Action