PT-2026-31699 · Apache+2 · Apache Tomcat+3

Gregk4Sec

·

Published

2026-03-23

·

Updated

2026-05-22

·

CVE-2026-29145

CVSS v2.0

9.4

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.83 through 9.0.115 Apache Tomcat versions 10.1.0-M7 through 10.1.52 Apache Tomcat versions 11.0.0-M1 through 11.0.18 Apache Tomcat Native versions 1.1.23 through 1.1.34 Apache Tomcat Native versions 1.2.0 through 1.2.39 Apache Tomcat Native versions 1.3.0 through 1.3.6 Apache Tomcat Native versions 2.0.0 through 2.0.13
Description An issue exists in Apache Tomcat and Apache Tomcat Native where CLIENT CERT authentication does not fail as expected in certain scenarios when soft fail is disabled.
Recommendations Upgrade Apache Tomcat to version 11.0.20, 10.1.53, or 9.0.116. Upgrade Apache Tomcat Native to version 1.3.7 or 2.0.14.

Fix

Improper Authentication

Weakness Enumeration

CWE-287

Related Identifiers

BDU:2026-06931
BIT-TOMCAT-2026-29145
CLEANSTART-2026-IS05941
CVE-2026-29145
GHSA-95JQ-RWVF-VJX4
MGASA-2026-0095
OESA-2026-1970
OPENSUSE-SU-2026:10547-1
OPENSUSE-SU-2026:10548-1
OPENSUSE-SU-2026:10549-1
OPENSUSE-SU-2026:20595-1
OPENSUSE-SU-2026:20611-1
OPENSUSE-SU-2026:20612-1
SUSE-SU-2026:1558-1
SUSE-SU-2026:1572-1
SUSE-SU-2026:1603-1
SUSE-SU-2026:1604-1

Affected Products

Apache Tomcat
Apache Tomcat Native
Confluence
Red Os