Vulnerability in Apache Software Foundation Tomcat
CVE-2026-34500
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0…
EPSS: 0.001 (35.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Tomcat — versions 11.0.0-M14, 10.1.22, 9.0.92
References
- lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2 (vendor-advisory)