CVE-2026-29145

EPSS 0.04%
Veröffentlicht 09.04.2026 20:16:24
Zuletzt bearbeitet 14.04.2026 13:22:28
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 20 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tomcat Version >= 9.0.83 < 9.0.116

Apache ≫ Tomcat Version >= 10.1.1 < 10.1.53

Apache ≫ Tomcat Version >= 11.0.0 < 11.0.20

Apache ≫ Tomcat Version10.1.0 Update-

Apache ≫ Tomcat Version10.1.0 Updatemilestone10

Apache ≫ Tomcat Version10.1.0 Updatemilestone11

Apache ≫ Tomcat Version10.1.0 Updatemilestone12

Apache ≫ Tomcat Version10.1.0 Updatemilestone13

Apache ≫ Tomcat Version10.1.0 Updatemilestone14

Apache ≫ Tomcat Version10.1.0 Updatemilestone15

Apache ≫ Tomcat Version10.1.0 Updatemilestone16

Apache ≫ Tomcat Version10.1.0 Updatemilestone17

Apache ≫ Tomcat Version10.1.0 Updatemilestone18

Apache ≫ Tomcat Version10.1.0 Updatemilestone19

Apache ≫ Tomcat Version10.1.0 Updatemilestone20

Apache ≫ Tomcat Version10.1.0 Updatemilestone7

Apache ≫ Tomcat Version10.1.0 Updatemilestone8

Apache ≫ Tomcat Version10.1.0 Updatemilestone9

Apache ≫ Tomcat Native Version >= 1.1.23 < 1.3.7

Apache ≫ Tomcat Native Version >= 2.0.0 < 2.0.14

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.115

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

Vendor Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/09/23

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-29145

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-29145

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-29145

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-29145