Is CVE-2026-29145 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2026-29145

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 thro…

EPSS: 0.000 (8.6th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 11.0.0-M1, 10.1.0-M7, 9.0.83
Apache Software Foundation Tomcat Native — versions 1.1.23, 1.2.0, 1.3.0

Public proof-of-concept exploits

sancliffe/CVE-2026-29145-Tester
Chenjp/CVE-2026-29145-Tester
gregk4sec/cve-2026-29145

References

lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz (vendor-advisory)

Frequently asked questions

What is CVE-2026-29145?: CVE-2026-29145 is a vulnerability in Apache Software Foundation Tomcat. Published 2026-04-09.
Is CVE-2026-29145 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.