CVE-2026-34500
Received Received - Intake
CLIENT_CERT Authentication Bypass in Apache Tomcat FFM Component

Publication date: 2026-04-09

Last updated on: 2026-04-14

Assigner: Apache Software Foundation

Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34500
EUVD
EUVD-2026-21059
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat 11.0.0
apache tomcat From 10.1.22 (inc) to 10.1.54 (exc)
apache tomcat From 11.0.1 (inc) to 11.0.21 (exc)
apache tomcat From 9.0.92 (inc) to 9.0.117 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in Apache Tomcat's CLIENT_CERT authentication mechanism. Specifically, when soft fail is disabled and FFM (Forwarded For Module) is used, the authentication does not fail as expected in certain scenarios. This means that the system might incorrectly accept or process client certificates, potentially bypassing intended authentication checks.

Impact Analysis

The impact of this vulnerability is that unauthorized users might be able to bypass CLIENT_CERT authentication under certain conditions. This could lead to unauthorized access to systems or data protected by Apache Tomcat, potentially compromising security.

Mitigation Strategies

Users are recommended to upgrade Apache Tomcat to versions 11.0.21, 10.1.54, or 9.0.117, which fix the CLIENT_CERT authentication issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart