Medium severity6.5NVD Advisory· Published Apr 9, 2026· Updated Apr 14, 2026
CVE-2026-34500
CVE-2026-34500
Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.92, < 9.0.117 | 9.0.117 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.22, < 10.1.54 | 10.1.54 |
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M14, < 11.0.21 | 11.0.21 |
org.apache.tomcat:tomcatMaven | >= 9.0.92, < 9.0.117 | 9.0.117 |
org.apache.tomcat:tomcatMaven | >= 10.1.22, < 10.1.54 | 10.1.54 |
org.apache.tomcat:tomcatMaven | >= 11.0.0-M14, < 11.0.21 | 11.0.21 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.92, < 9.0.117 | 9.0.117 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.22, < 10.1.54 | 10.1.54 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M14, < 11.0.21 | 11.0.21 |
Affected products
14cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*range: >=9.0.92,<9.0.117
- cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.openwall.com/lists/oss-security/2026/04/09/29nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-24j9-x2wg-9qv6ghsaADVISORY
- lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34500ghsaADVISORY
News mentions
1- Siemens SIMATICCISA Alerts