CVE-2026-34500
Received Received - Intake

CLIENT_CERT Authentication Bypass in Apache Tomcat FFM Component

Vulnerability report for CVE-2026-34500, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-07-06
AI Q&A
2026-04-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 16 associated CPEs
Vendor Product Version / Range
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat From 10.1.22 (inc) to 10.1.54 (exc)
apache tomcat From 11.0.1 (inc) to 11.0.21 (exc)
apache tomcat From 9.0.92 (inc) to 9.0.117 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in Apache Tomcat's CLIENT_CERT authentication mechanism. Specifically, when soft fail is disabled and FFM (Forwarded For Module) is used, the authentication does not fail as expected in certain scenarios. This means that the system might incorrectly accept or process client certificates, potentially bypassing intended authentication checks.

Impact Analysis

The impact of this vulnerability is that unauthorized users might be able to bypass CLIENT_CERT authentication under certain conditions. This could lead to unauthorized access to systems or data protected by Apache Tomcat, potentially compromising security.

Mitigation Strategies

Users are recommended to upgrade Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, which fix the CLIENT_CERT authentication issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart