CVE-2026-24734

Name of the Vulnerable Software and Affected Versions Apache Tomcat Native versions 1.3.0 through 1.3.4 Apache Tomcat Native versions 2.0.0 through 2.0.11 Apache Tomcat versions 11.0.0-M1 through 11.0.17 Apache Tomcat versions 10.1.0-M7 through 10.1.51 Apache Tomcat versions 9.0.83 through 9.0.114 Apache Tomcat Native versions 1.1.23 through 1.1.34 Apache Tomcat Native versions 1.2.0 through 1.2.39

Description An improper input validation issue exists in Apache Tomcat Native and Apache Tomcat when using an OCSP responder. The software did not complete verification or freshness checks on the OCSP response, potentially allowing certificate revocation to be bypassed. The issue was reported on November 2, 2025, and made public on February 17, 2026.

Recommendations Apache Tomcat Native versions 1.3.5 or later should be used. Apache Tomcat Native versions 2.0.12 or later should be used. Apache Tomcat versions 11.0.18 or later should be used. Apache Tomcat versions 10.1.52 or later should be used. Apache Tomcat versions 9.0.115 or later should be used.