Zero Day MonitorZDM

← Back to list

—

CVE-2026-34500PATCHED

apache software foundation · apache tomcat

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache tomcat	11.0.0-M14, 10.1.22, 9.0.92

References

https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2(vendor-advisory)

Related News (2 articles)

Tier C

oss-security5h ago

CVE-2026-34500: Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

→ No new info (linked only)

Tier C

VulDB8h ago

CVE-2026-34500 | Apache Tomcat up to 9.0.116/10.1.53/11.0.20 CLIENT_CERT Authentication improper authentication

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2

PublishedApr 9, 2026

Last enriched4h agov3

Trending Score34

Source articles2

Independent2

Info Completeness7/14

Missing: cvss, epss, cwe, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-35554

Apache Kafka Clients: Kafka Producer Message Corruption and Misrouting via Buffer Pool Race Condition

IMPORTANTCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

NONECVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

NONECVE-2026-25854

Apache Tomcat: Occasionally open redirect

NONECVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Updated: description, severity

Apr 9, 2026

Patch Available

Apr 9, 2026

Updated: severity

Apr 9, 2026

Version History

v3

Last enriched 4h ago

v3Tier C4h ago

Updated severity from NONE to MEDIUM.

severity

via oss-security

v2Tier C7h ago

Updated severity to CRITICAL, changed exploit availability to false, and provided a new description of the vulnerability.

descriptionseverity

via VulDB

v18h ago

Initial creation