CVE-2026-34500

MEDIUM

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Title source: cna

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/29

[Vendor Advisory] https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2

Scores

CVSS v3 6.5

EPSS 0.0016

EPSS Percentile 36.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (8)

apache/tomcat 11.0.0 milestone14 (13 CPE variants)

apache/tomcat 9.0.92 - 9.0.117

Apache Software Foundation/Apache Tomcat 10.1.22 - 10.1.53

Apache Software Foundation/Apache Tomcat 11.0.0-M14 - 11.0.20

Apache Software Foundation/Apache Tomcat 9.0.92 - 9.0.116

org.apache.tomcat/tomcat 9.0.92 - 9.0.117Maven

org.apache.tomcat/tomcat-catalina 9.0.92 - 9.0.117Maven

org.apache.tomcat.embed/tomcat-embed-core 9.0.92 - 9.0.117Maven

Published Apr 09, 2026

Tracked Since Apr 10, 2026