Clientcert auth ignores softfail in Apache Tomcat (11.0.18)
CVE-2026-29145 Published on April 9, 2026
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Vulnerability Analysis
CVE-2026-29145 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2026-29145 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2026-29145
stack.watch emails you whenever new vulnerabilities are published in Apache Tomcat or Apache Tomcat Native. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.18 is affected.
- Version 10.1.0-M7, <= 10.1.52 is affected.
- Version 9.0.83, <= 9.0.115 is affected.
- Before and including 8.5.100 is unaffected.
- Version 1.1.23, <= 1.1.34 is affected.
- Version 1.2.0, <= 1.2.39 is affected.
- Version 1.3.0, <= 1.3.6 is affected.
- Version 2.0.0, <= 2.0.13 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.