CVE-2026-34500
MEDIUMApache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
Title source: cnaDescription
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
Scores
CVSS v3
6.5
EPSS
0.0047
EPSS Percentile
36.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (11)
apache/tomcat
11.0.0 milestone14 (13 CPE variants)
apache/tomcat
9.0.92 - 9.0.117
Apache Software Foundation/Apache Tomcat
10.1.22 - 10.1.53
Apache Software Foundation/Apache Tomcat
11.0.0-M14 - 11.0.20
Apache Software Foundation/Apache Tomcat
9.0.92 - 9.0.116
org.apache.tomcat/tomcat
9.0.92 - 9.0.117Maven
org.apache.tomcat/tomcat-catalina
9.0.92 - 9.0.117Maven
org.apache.tomcat/tomcat-coyote-ffm
10.1.22 - 10.1.54Maven
org.apache.tomcat/tomcat-coyote-ffm
11.0.0-M14 - 11.0.21Maven
org.apache.tomcat/tomcat-coyote-ffm
9.0.92 - 9.0.117Maven
... and 1 more
Published
Apr 09, 2026
Tracked Since
Apr 10, 2026