CVE-2026-29145

CRITICAL

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Title source: cna

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-29145. PoCs published by adminlove520, Chenjp, sancliffe.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-29145, an authentication bypass vulnerability in Apache Tomcat's Mutual TLS (CLIENT_CERT) implementation. The PoC includes scripts to set up a vulnerable environment, generate certificates, and test the exploit scenario where OCSP checks fail, allowing unauthorized access.

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Exploits (4)

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-29145

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-29145, an authentication bypass vulnerability in Apache Tomcat's Mutual TLS (CLIENT_CERT) implementation. The PoC includes scripts to set up a vulnerable environment, generate certificates, and test the exploit scenario where OCSP checks fail, allowing unauthorized access.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 10.1.52

No auth needed

Prerequisites: Docker & Docker Compose · OpenSSL · Python 3.7+ · CLIENT_CERT authentication enabled · OCSP revocation checking enabled · Soft-fail disabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 15, 2026 Full analysis →

nomisec WORKING POC

by Chenjp · poc

https://github.com/Chenjp/CVE-2026-29145-Tester

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-29145, an authentication bypass in Apache Tomcat's Mutual TLS (CLIENT_CERT) implementation due to improper OCSP soft-fail handling. It includes a Docker-based testing environment, certificate generation scripts, and a Python exploit script to demonstrate the vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 10.1.52

No auth needed

Prerequisites: Docker & Docker Compose · OpenSSL · Python 3.7+ · CLIENT_CERT authentication enabled · OCSP revocation checking enabled · Soft-fail disabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 15, 2026 Full analysis →

nomisec WORKING POC

by sancliffe · poc

https://github.com/sancliffe/CVE-2026-29145-Tester

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-29145, an authentication bypass in Apache Tomcat's Mutual TLS (CLIENT_CERT) implementation. It includes a Docker-based testing environment, certificate generation scripts, and a Python exploit script to demonstrate the vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 10.1.52

No auth needed

Prerequisites: Docker & Docker Compose · OpenSSL · Python 3.7+ · CLIENT_CERT authentication enabled in Tomcat · OCSP revocation checking enabled · Soft-fail option disabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 24, 2026 Full analysis →

nomisec WORKING POC

by gregk4sec · poc

https://github.com/gregk4sec/cve-2026-29145

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2026-29145, demonstrating an authentication bypass in Apache Tomcat due to improper OCSP checks. The exploit leverages a scenario where OCSP responses with 'Unknown' status are incorrectly treated as valid, allowing unauthorized access.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (versions with OCSP soft-fail misconfiguration)

No auth needed

Prerequisites: Client certificate with OCSP 'Unknown' status · Tomcat configured with strict OCSP checking (ocspSoftFail=false)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/09/23

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

Scores

CVSS v3 9.1

EPSS 0.0003

EPSS Percentile 8.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (19)

apache/tomcat 10.1.0 (15 CPE variants)

apache/tomcat 9.0.83 - 9.0.116

apache/tomcat_native 1.1.23 - 1.3.7

Apache Software Foundation/Apache Tomcat < 8.5.100

Apache Software Foundation/Apache Tomcat 10.1.0-M7 - 10.1.52

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.18

Apache Software Foundation/Apache Tomcat 9.0.83 - 9.0.115

Apache Software Foundation/Apache Tomcat Native 1.1.23 - 1.1.34

Apache Software Foundation/Apache Tomcat Native 1.2.0 - 1.2.39

Apache Software Foundation/Apache Tomcat Native 1.3.0 - 1.3.6

... and 9 more

Published Apr 09, 2026

Tracked Since Apr 10, 2026