GHSA-24j9-x2wg-9qv6MediumCVSS 6.5
Apache Tomcat: CLIENT_CERT authentication does not fail as expected
🔗 CVE IDs covered (1)
📋 Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
🎯 Affected products3
- maven/org.apache.tomcat:tomcat-coyote-ffm:>= 9.0.92, < 9.0.117
- maven/org.apache.tomcat:tomcat-coyote-ffm:>= 10.1.22, < 10.1.54
- maven/org.apache.tomcat:tomcat-coyote-ffm:>= 11.0.0-M14, < 11.0.21
🔗 References (10)
- https://nvd.nist.gov/vuln/detail/CVE-2026-34500
- https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2
- http://www.openwall.com/lists/oss-security/2026/04/09/29
- https://github.com/apache/tomcat/commit/29b56a56ce9e7d044b6162a99af0f38529b3a208
- https://github.com/apache/tomcat/commit/c13e60e732ea6d07087293a41ad1866c20848271
- https://github.com/apache/tomcat/commit/ff589ab26e8250a2ca4286d986305318c033ff9f
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.54
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.21
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.117
- https://github.com/advisories/GHSA-24j9-x2wg-9qv6