CVE-2026-34500

Published Apr 9, 2026

Last updated 2 months ago

CVSS medium 6.5

Overview

Description: CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Source: security@apache.org
NVD status: Analyzed
Products: tomcat

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 4.2
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Severity: MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-287

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "0F8E9052-1F8B-4AE4-848E-8A68AF70799D",
            "versionEndExcluding": "9.0.117",
            "versionStartIncluding": "9.0.92",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "0F59692A-17FE-42A3-83DF-FD362A4E74C7",
            "versionEndExcluding": "10.1.54",
            "versionStartIncluding": "10.1.22",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "C690419F-47D3-4770-8F15-7EF042E1567F",
            "versionEndExcluding": "11.0.21",
            "versionStartIncluding": "11.0.1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
            "matchCriteriaId": "72D3C6F1-84FA-4F82-96C1-9A8DA1C1F30F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
            "matchCriteriaId": "3521C81B-37D9-48FC-9540-D0D333B9A4A4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
            "matchCriteriaId": "02A84634-A8F2-4BA9-B9F3-BEF36AEC5480",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*",
            "matchCriteriaId": "ECBBC1F1-C86B-40AF-B740-A99F6B27682A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*",
            "matchCriteriaId": "9D2206B2-F3FF-43F2-B3E2-3CAAC64C691D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*",
            "matchCriteriaId": "0495A538-4102-40D0-A35C-0179CFD52A9D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*",
            "matchCriteriaId": "77BA6600-0890-4BA1-B447-EC1746BAB4FD",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*",
            "matchCriteriaId": "7914D26B-CBD6-4846-9BD3-403708D69319",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*",
            "matchCriteriaId": "123C6285-03BE-49FC-B821-8BDB25D02863",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*",
            "matchCriteriaId": "8A28C2E2-B7BC-46CE-94E4-AE3EF172AA47",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*",
            "matchCriteriaId": "069B0D8E-8223-4C4E-A834-C6235D6C3450",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*",
            "matchCriteriaId": "E6282085-5716-4874-B0B0-180ECDEE128F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*",
            "matchCriteriaId": "899B6FF0-8701-47E7-8EDA-428A6D48786D",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References