CVE-2026-34500
MEDIUM6.5EPSS 0.20%Apache Tomcat: CLIENT_CERT authentication does not fail as expected
Published: 4/9/2026Modified: 5/20/2026
Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Affected packages (5)
- Bitnami/tomcat>= 9.0.92, < 9.0.117, >= 10.1.22, < 10.1.54, >= 11.0.0, < 11.0.21
- Debian/tomcat10from 0
- Debian/tomcat11from 0
- Debian/tomcat9from 0, < 9.0.70-2
- Maven/org.apache.tomcat:tomcat-coyote-ffm>= 9.0.92, < 9.0.117
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34500
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-34500
- PATCHhttps://github.com/apache/tomcat
- WEBhttps://github.com/apache/tomcat/commit/29b56a56ce9e7d044b6162a99af0f38529b3a208
- WEBhttps://github.com/apache/tomcat/commit/c13e60e732ea6d07087293a41ad1866c20848271
- WEBhttps://github.com/apache/tomcat/commit/ff589ab26e8250a2ca4286d986305318c033ff9f
- WEBhttps://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
- WEBhttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.54
- WEBhttps://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.21
- WEBhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.117
- WEBhttp://www.openwall.com/lists/oss-security/2026/04/09/29