Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
Description
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Apache Tomcat Native's OCSP handling allows bypassing certificate revocation checks by not verifying OCSP response freshness.
Root Cause The OCSP responder verification code in Tomcat Native (and its FFM port) failed to perform complete validation and freshness checks on OCSP responses. This means the code did not properly confirm that the response was current or that it correctly reflected the certificate's revocation status [1].
Exploitation Scenario An attacker able to intercept or inject OCSP responses (e.g., via man-in-the-middle on a network path between the client and the CA's OCSP responder) could supply a crafted or replayed OCSP response that indicates a revoked certificate is still valid. No authentication on the OCSP response is properly enforced.
Impact Successful exploitation allows an attacker to bypass certificate revocation checks, enabling use of revoked certificates in TLS connections. This compromises the integrity of the certificate validation process, potentially leading to man-in-the-middle attacks or other security breaches.
Mitigation The Apache Software Foundation has released fixes in Tomcat Native 1.3.5, 2.0.12, and Tomcat 11.0.18, 10.1.52, 9.0.115. Users on older EOL versions (1.1.x, 1.2.x) are advised to upgrade to supported releases. No workarounds have been published [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-coyoteMaven | >= 11.0.0-M1, < 11.0.18 | 11.0.18 |
org.apache.tomcat:tomcat-coyoteMaven | >= 10.1.0-M7, < 10.1.52 | 10.1.52 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.83, < 9.0.115 | 9.0.115 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.18 | 11.0.18 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M7, < 10.1.52 | 10.1.52 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.83, < 9.0.115 | 9.0.115 |
Affected products
3- Range: >=1.3.0 <=1.3.4, >=2.0.0 <=2.0.11
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
- Apache Software Foundation/Apache Tomcat Nativev5Range: 1.1.23
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-mgp5-rv84-w37qghsaADVISORY
- lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24734ghsaADVISORY
News mentions
0No linked articles in our index yet.