CVE-2026-29145 | THREATINT

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

PUBLISHED Reserved 2026-03-04 | Published 2026-04-09 | Updated 2026-04-10 | Assigner apache

Problem types

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled

Product status

Default status

unaffected

11.0.0-M1 (semver)

affected

10.1.0-M7 (semver)

affected

9.0.83 (semver)

affected

Any version

unaffected

Default status

unaffected

1.1.23 (semver)

affected

1.2.0 (semver)

affected

1.3.0 (semver)

affected

2.0.0 (semver)

affected

Credits

gregk4sec (https://github.com/gregk4sec) finder

References

www.openwall.com/lists/oss-security/2026/04/09/23

lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz vendor-advisory

cve.org (CVE-2026-29145)

nvd.nist.gov (CVE-2026-29145)

Download JSON