Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24734.json",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.1.23"
},
{
"last_affected": "1.1.34"
},
{
"introduced": "1.2.0"
},
{
"last_affected": "1.2.39"
},
{
"introduced": "1.3.0"
},
{
"last_affected": "1.3.4"
},
{
"introduced": "2.0.0"
},
{
"last_affected": "2.0.11"
},
{
"introduced": "11.0.0-M1"
},
{
"last_affected": "11.0.17"
},
{
"introduced": "10.1.0-M7"
},
{
"last_affected": "10.1.51"
},
{
"introduced": "9.0.83"
},
{
"last_affected": "9.0.114"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.4"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.11"
},
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.17"
},
{
"introduced": "10.1.0-M7"
},
{
"fixed": "10.1.51"
},
{
"introduced": "9.0.83"
},
{
"fixed": "9.0.114"
},
{
"introduced": "1.1.23"
},
{
"fixed": "1.1.34"
},
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.39"
}
]
}
],
"cna_assigner": "apache",
"cwe_ids": [
"CWE-20"
]
}{
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "10.1.0-milestone1"
},
{
"last_affected": "10.1.0-milestone1"
},
{
"introduced": "10.1.0-milestone10"
},
{
"last_affected": "10.1.0-milestone10"
},
{
"introduced": "10.1.0-milestone11"
},
{
"last_affected": "10.1.0-milestone11"
},
{
"introduced": "10.1.0-milestone12"
},
{
"last_affected": "10.1.0-milestone12"
},
{
"introduced": "10.1.0-milestone13"
},
{
"last_affected": "10.1.0-milestone13"
},
{
"introduced": "10.1.0-milestone14"
},
{
"last_affected": "10.1.0-milestone14"
},
{
"introduced": "10.1.0-milestone15"
},
{
"last_affected": "10.1.0-milestone15"
},
{
"introduced": "10.1.0-milestone16"
},
{
"last_affected": "10.1.0-milestone16"
},
{
"introduced": "10.1.0-milestone17"
},
{
"last_affected": "10.1.0-milestone17"
},
{
"introduced": "10.1.0-milestone18"
},
{
"last_affected": "10.1.0-milestone18"
},
{
"introduced": "10.1.0-milestone19"
},
{
"last_affected": "10.1.0-milestone19"
},
{
"introduced": "10.1.0-milestone2"
},
{
"last_affected": "10.1.0-milestone2"
},
{
"introduced": "10.1.0-milestone20"
},
{
"last_affected": "10.1.0-milestone20"
},
{
"introduced": "10.1.0-milestone3"
},
{
"last_affected": "10.1.0-milestone3"
},
{
"introduced": "10.1.0-milestone4"
},
{
"last_affected": "10.1.0-milestone4"
},
{
"introduced": "10.1.0-milestone5"
},
{
"last_affected": "10.1.0-milestone5"
},
{
"introduced": "10.1.0-milestone6"
},
{
"last_affected": "10.1.0-milestone6"
},
{
"introduced": "10.1.0-milestone7"
},
{
"last_affected": "10.1.0-milestone7"
},
{
"introduced": "10.1.0-milestone8"
},
{
"last_affected": "10.1.0-milestone8"
},
{
"introduced": "10.1.0-milestone9"
},
{
"last_affected": "10.1.0-milestone9"
},
{
"introduced": "11.0.0-milestone1"
},
{
"last_affected": "11.0.0-milestone1"
},
{
"introduced": "11.0.0-milestone10"
},
{
"last_affected": "11.0.0-milestone10"
},
{
"introduced": "11.0.0-milestone11"
},
{
"last_affected": "11.0.0-milestone11"
},
{
"introduced": "11.0.0-milestone12"
},
{
"last_affected": "11.0.0-milestone12"
},
{
"introduced": "11.0.0-milestone13"
},
{
"last_affected": "11.0.0-milestone13"
},
{
"introduced": "11.0.0-milestone14"
},
{
"last_affected": "11.0.0-milestone14"
},
{
"introduced": "11.0.0-milestone15"
},
{
"last_affected": "11.0.0-milestone15"
},
{
"introduced": "11.0.0-milestone16"
},
{
"last_affected": "11.0.0-milestone16"
},
{
"introduced": "11.0.0-milestone17"
},
{
"last_affected": "11.0.0-milestone17"
},
{
"introduced": "11.0.0-milestone18"
},
{
"last_affected": "11.0.0-milestone18"
},
{
"introduced": "11.0.0-milestone19"
},
{
"last_affected": "11.0.0-milestone19"
},
{
"introduced": "11.0.0-milestone2"
},
{
"last_affected": "11.0.0-milestone2"
},
{
"introduced": "11.0.0-milestone20"
},
{
"last_affected": "11.0.0-milestone20"
},
{
"introduced": "11.0.0-milestone21"
},
{
"last_affected": "11.0.0-milestone21"
},
{
"introduced": "11.0.0-milestone22"
},
{
"last_affected": "11.0.0-milestone22"
},
{
"introduced": "11.0.0-milestone23"
},
{
"last_affected": "11.0.0-milestone23"
},
{
"introduced": "11.0.0-milestone24"
},
{
"last_affected": "11.0.0-milestone24"
},
{
"introduced": "11.0.0-milestone25"
},
{
"last_affected": "11.0.0-milestone25"
},
{
"introduced": "11.0.0-milestone26"
},
{
"last_affected": "11.0.0-milestone26"
},
{
"introduced": "11.0.0-milestone3"
},
{
"last_affected": "11.0.0-milestone3"
},
{
"introduced": "11.0.0-milestone4"
},
{
"last_affected": "11.0.0-milestone4"
},
{
"introduced": "11.0.0-milestone5"
},
{
"last_affected": "11.0.0-milestone5"
},
{
"introduced": "11.0.0-milestone6"
},
{
"last_affected": "11.0.0-milestone6"
},
{
"introduced": "11.0.0-milestone7"
},
{
"last_affected": "11.0.0-milestone7"
},
{
"introduced": "11.0.0-milestone8"
},
{
"last_affected": "11.0.0-milestone8"
},
{
"introduced": "11.0.0-milestone9"
},
{
"last_affected": "11.0.0-milestone9"
}
],
"cpe": [
"cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*"
]
}