CVE-2026-29145
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
11th
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
| Vendor | apache software foundation |
| Product | apache tomcat |
| Published | Apr 9, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache tomcat
Be the first to know when new critical vulnerabilities affecting apache software foundation apache tomcat are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Apache Software Foundation / Apache Tomcat
11.0.0-M1 ≤ 11.0.18 10.1.0-M7 ≤ 10.1.52 9.0.83 ≤ 9.0.115
Apache Software Foundation / Apache Tomcat Native
1.1.23 ≤ 1.1.34 1.2.0 ≤ 1.2.39 1.3.0 ≤ 1.3.6 2.0.0 ≤ 2.0.13
References
Credits
gregk4sec (https://github.com/gregk4sec)