{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34500", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-30T08:34:56.185Z", "datePublished": "2026-04-09T19:36:52.857Z", "dateUpdated": "2026-04-10T14:22:31.310Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.20", "status": "affected", "version": "11.0.0-M14", "versionType": "semver"}, {"lessThanOrEqual": "10.1.53", "status": "affected", "version": "10.1.22", "versionType": "semver"}, {"lessThanOrEqual": "9.0.116", "status": "affected", "version": "9.0.92", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.</p>"}], "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:52.857Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:55.928Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "CWE-287 Improper Authentication"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:21:50.556349Z", "id": "CVE-2026-34500", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:22:31.310Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T23:15:55.928Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:21:50.556349Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:20:41.381Z"}}], "cna": {"title": "Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Haruki Oyama (Waseda University)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M14", "versionType": "semver", "lessThanOrEqual": "11.0.20"}, {"status": "affected", "version": "10.1.22", "versionType": "semver", "lessThanOrEqual": "10.1.53"}, {"status": "affected", "version": "9.0.92", "versionType": "semver", "lessThanOrEqual": "9.0.116"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.</p><p>This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.</p><p>Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T19:36:52.857Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34500", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:22:31.310Z", "dateReserved": "2026-03-30T08:34:56.185Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T19:36:52.857Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F8E9052-1F8B-4AE4-848E-8A68AF70799D", "versionEndExcluding": "9.0.117", "versionStartIncluding": "9.0.92", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F59692A-17FE-42A3-83DF-FD362A4E74C7", "versionEndExcluding": "10.1.54", "versionStartIncluding": "10.1.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "C690419F-47D3-4770-8F15-7EF042E1567F", "versionEndExcluding": "11.0.21", "versionStartIncluding": "11.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "899B6FF0-8701-47E7-8EDA-428A6D48786D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\n\nUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue."}], "id": "CVE-2026-34500", "lastModified": "2026-04-14T12:43:28.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T20:16:25.330", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/09/29"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Tomcat: Apache Tomcat: Authentication bypass via client certificate misconfiguration", "id": "2457043", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457043"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-303", "details": ["A flaw was found in Apache Tomcat. This vulnerability allows an attacker to bypass client certificate authentication in specific scenarios when the 'soft fail' option is disabled and the Flexible Failure Mechanism (FFM) is active. This could result in unauthorized access to sensitive resources that are intended to be protected by client certificates."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure that client certificate authentication is configured to properly handle failures. If the Flexible Failure Mechanism (FFM) is not critical for your deployment, consider disabling it. Alternatively, ensure the 'soft fail' option is enabled for client certificate authentication to prevent bypass scenarios. A restart of the Apache Tomcat service will be required for these changes to take effect."}, "name": "CVE-2026-34500", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Under investigation", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 6"}], "public_date": "2026-04-09T19:36:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34500\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34500\nhttps://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2"], "statement": "This Moderate impact flaw in Apache Tomcat allows for client certificate authentication bypass. This occurs when 'soft fail' is disabled and the Flexible Failure Mechanism (FFM) is active, potentially granting unauthorized access to resources protected by client certificates. Red Hat Enterprise Linux versions 6, 7, 8, 9, and 10, as well as Fedora, are affected if configured with Apache Tomcat in this specific manner.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0-M14,11.0.20]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.1.22,10.1.53]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.92,9.0.116]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Tomcat", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "tomcat", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-14T13:52:05.791742+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Tomcat to version 11.0.21, 10.1.54, 9.0.117 or later.", "If an immediate upgrade is not possible, disable the Fallback\u2011First\u2011Mechanism or enable soft\u2011fail to ensure proper certificate rejection.", "Validate that client\u2011certificate authentication is required and correctly configured, allowing only trusted certificates.", "Monitor authentication logs for unexpected success events and confirm the certificate chains."], "summary": {"action": "Immediate Patch", "impact": "Client Certificate Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The issue affects Apache Tomcat versions 11.0.0\u2011M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. All milestone releases of 11.0.0 from M14 to M26 are also impacted. Users running any of these releases should verify whether client\u2011certificate authentication is enabled and whether FFM is in use.", "description_and_impact": "Apache Tomcat can fail to reject certain client certificates when soft\u2011fail is disabled and the Fallback\u2011First\u2011Mechanism (FFM) is active. The server may accept an invalid or forged certificate and still establish an authenticated session, effectively bypassing the intended security control. This weakness is a classic authentication bypass, corresponding to CWE\u2011287, and is further aggravated by incorrect handling of configuration settings (CWE\u2011303).", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an exploit likelihood of less than 1\u202f%. It is not listed in the known exploited vulnerabilities catalog and no public exploits are reported. Attackers would need the ability to initiate an HTTPS connection with client\u2011certificate authentication enabled and supply a certificate that triggers the flawed verification logic. While the risk remains moderate, timely remediation is recommended."}}}}, "created": "2026-04-10T08:38:46.890993+00:00", "updated": "2026-04-14T16:36:45.936358+00:00", "vendors": ["apache", "apache$PRODUCT$tomcat"]}