CVE-2026-29145
Received Received - Intake
CLIENT_CERT Authentication Bypass in Apache Tomcat and Native

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-05-06
AI Q&A
2026-04-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29145
EUVD
EUVD-2026-21011
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat 10.1.0
apache tomcat From 11.0.0 (inc) to 11.0.20 (exc)
apache tomcat From 9.0.83 (inc) to 9.0.116 (exc)
apache tomcat_native From 2.0.0 (inc) to 2.0.14 (exc)
apache tomcat From 10.1.1 (inc) to 10.1.53 (exc)
apache tomcat_native From 1.1.23 (inc) to 1.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in Apache Tomcat and Apache Tomcat Native where CLIENT_CERT authentication does not fail as expected in certain scenarios when the soft fail option is disabled.

This means that even if client certificate authentication should reject a client, it might incorrectly allow access under some conditions.

The issue affects multiple versions of Apache Tomcat and Tomcat Native, and users are advised to upgrade to fixed versions to resolve the problem.


How can this vulnerability impact me? :

Because CLIENT_CERT authentication may not fail as expected, unauthorized users could potentially gain access to systems or resources that require client certificate authentication.

This could lead to unauthorized access, compromising the security of applications relying on Apache Tomcat or Tomcat Native for authentication.


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache Tomcat and Apache Tomcat Native to fixed versions that address this vulnerability.

  • Upgrade Apache Tomcat to version 11.0.20, 10.1.53, or 9.0.116 or later.
  • Upgrade Apache Tomcat Native to version 1.3.7 or 2.0.14 or later.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in CLIENT_CERT authentication causes authentication to not fail as expected in some scenarios when soft fail is disabled. This could potentially allow unauthorized access due to improper authentication enforcement.

Such an authentication bypass can impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Failure to properly authenticate users may lead to unauthorized data access, thereby violating these compliance requirements.

Therefore, organizations using affected versions of Apache Tomcat or Tomcat Native should upgrade to fixed versions to maintain compliance with these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart