SecuriTricks - CVE-2026-34500

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Product(s) Impacted

Vendor	Product	Versions
Apache	Tomcat	11.0.0-M14-11.0.20, 10.1.22-10.1.53, 9.0.92-9.0.116, 11.0.21, 10.1.54, 9.0.117

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	apache	tomcat	11.0.0-M14-11.0.20	/	/	/	/	/	/	/
a	apache	tomcat	10.1.22-10.1.53	/	/	/	/	/	/	/
a	apache	tomcat	9.0.92-9.0.116	/	/	/	/	/	/	/
a	apache	tomcat	11.0.21	/	/	/	/	/	/	/
a	apache	tomcat	10.1.54	/	/	/	/	/	/	/
a	apache	tomcat	9.0.117	/	/	/	/	/	/	/

References

https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2

http://www.openwall.com/lists/oss-security/2026/04/09/29

CVSS Score

6.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

View Vector String

Timeline

Published: April 9, 2026, 8:16 p.m.
Last Modified: April 10, 2026, 3:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-34500