CVE-2026-29145

CRITICAL

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Title source: cna

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Exploits (2)

nomisec WORKING POC

by sancliffe · poc

https://github.com/sancliffe/CVE-2026-29145-Tester

View Code ZIP pw:eip

nomisec WORKING POC

by gregk4sec · poc

https://github.com/gregk4sec/cve-2026-29145

View Code ZIP pw:eip

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/23

[Vendor Advisory] https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

Scores

CVSS v3 9.1

EPSS 0.0003

EPSS Percentile 10.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-287

Status published

Products (14)

apache/tomcat 10.1.0 (15 CPE variants)

apache/tomcat 9.0.83 - 9.0.116

apache/tomcat_native 1.1.23 - 1.3.7

Apache Software Foundation/Apache Tomcat < 8.5.100

Apache Software Foundation/Apache Tomcat 10.1.0-M7 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.18

Apache Software Foundation/Apache Tomcat 9.0.83 - 9.0.115

Apache Software Foundation/Apache Tomcat Native 1.1.23 - 1.1.34

Apache Software Foundation/Apache Tomcat Native 1.2.0 - 1.2.39

Apache Software Foundation/Apache Tomcat Native 1.3.0 - 1.3.6

... and 4 more

Published Apr 09, 2026

Tracked Since Apr 10, 2026