CVE-2026-29145

Published Apr 9, 2026

Last updated 2 months ago

CVSS critical 9.1

Overview

Description: CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Source: security@apache.org
NVD status: Analyzed
Products: tomcat, tomcat_native

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.1
Impact score: 5.2
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity: CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-287

Hype score: Not currently trending

⚠️ Vulnerabilidades en productos Atlassian ❗ CVE-2026-29145 ❗ CVE-2026-22732 ❗ CVE-2026-22029 ➡️ Más info: https://t.co/TNtywQ5Hiq https://t.co/OQ4O0L0bCR
@CERTpy
1 Jun 2026
90 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "2F4C25F3-54B7-42C3-9CEE-853D64F538B9",
            "versionEndExcluding": "9.0.116",
            "versionStartIncluding": "9.0.83",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "6A9752F3-66FC-41BC-BBB9-50AC9A7DBC55",
            "versionEndExcluding": "10.1.53",
            "versionStartIncluding": "10.1.1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "1F39B82B-0E67-459D-8065-2C6EE7970D0D",
            "versionEndExcluding": "11.0.20",
            "versionStartIncluding": "11.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:-:*:*:*:*:*:*",
            "matchCriteriaId": "8AF99366-B85F-447F-90EF-E4F163193A78",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
            "matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
            "matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
            "matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
            "matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
            "matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
            "matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
            "matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
            "matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
            "matchCriteriaId": "2DCE3576-86BC-4BB8-A5FB-1274744DFD7F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
            "matchCriteriaId": "5571F54A-2EAC-41B6-BDA9-7D33CFE97F70",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
            "matchCriteriaId": "ED30E850-C475-4133-BDE3-74CB3768D787",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
            "matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
            "matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
            "matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "4285FB15-C93B-498C-9DA1-E5C3364A0280",
            "versionEndExcluding": "1.3.7",
            "versionStartIncluding": "1.1.23",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "89778321-0002-4D5F-85DB-EAE3CB9B53CA",
            "versionEndExcluding": "2.0.14",
            "versionStartIncluding": "2.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References