CVE-2026-24734
Modified Modified - Updated After Analysis

Improper Input Validation in Apache Tomcat Native OCSP Handling

Vulnerability report for CVE-2026-24734, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-17

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:Β  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39.Β Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-17
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-17
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 51 associated CPEs
Vendor Product Version / Range
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat From 10.1.1 (inc) to 10.1.52 (exc)
apache tomcat From 11.0.1 (inc) to 11.0.18 (exc)
apache tomcat From 9.0.83 (inc) to 9.0.115 (exc)
apache tomcat_native From 1.3.0 (inc) to 1.3.5 (exc)
apache tomcat_native From 2.0.0 (inc) to 2.0.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-295 The product does not validate, or incorrectly validates, a certificate.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Input Validation issue in Apache Tomcat Native and Apache Tomcat when using an OCSP responder. Specifically, Tomcat Native and Tomcat's FFM port of the Tomcat Native code did not complete verification or freshness checks on the OCSP response. This flaw could allow an attacker to bypass certificate revocation checks.

Impact Analysis

Because the verification or freshness checks on OCSP responses are not properly completed, an attacker could bypass certificate revocation. This means that revoked certificates might still be accepted as valid, potentially allowing unauthorized or malicious entities to impersonate trusted parties or intercept secure communications.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade affected Apache Tomcat Native versions to 1.3.5 or later or 2.0.12 or later.

For Apache Tomcat, upgrade to versions 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart