CVE-2026-29145

Source
https://cve.org/CVERecord?id=CVE-2026-29145
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29145.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-29145
Aliases
Downstream
Related
Published
2026-04-09T19:20:24.601Z
Modified
2026-07-11T03:54:48.142610854Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
Details

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29145.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "11.0.0-M1"
                },
                {
                    "last_affected": "11.0.18"
                },
                {
                    "introduced": "10.1.0-M7"
                },
                {
                    "last_affected": "10.1.52"
                },
                {
                    "introduced": "9.0.83"
                },
                {
                    "last_affected": "9.0.115"
                },
                {
                    "introduced": "1.1.23"
                },
                {
                    "last_affected": "1.1.34"
                },
                {
                    "introduced": "1.2.0"
                },
                {
                    "last_affected": "1.2.39"
                },
                {
                    "introduced": "1.3.0"
                },
                {
                    "last_affected": "1.3.6"
                },
                {
                    "introduced": "2.0.0"
                },
                {
                    "last_affected": "2.0.13"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "introduced": "11.0.0-M1"
                },
                {
                    "fixed": "11.0.18"
                },
                {
                    "introduced": "10.1.0-M7"
                },
                {
                    "fixed": "10.1.52"
                },
                {
                    "introduced": "9.0.83"
                },
                {
                    "fixed": "9.0.115"
                },
                {
                    "introduced": "1.1.23"
                },
                {
                    "fixed": "1.1.34"
                },
                {
                    "introduced": "1.2.0"
                },
                {
                    "fixed": "1.2.39"
                },
                {
                    "introduced": "1.3.0"
                },
                {
                    "fixed": "1.3.6"
                },
                {
                    "introduced": "2.0.0"
                },
                {
                    "fixed": "2.0.13"
                }
            ]
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:tomcat:10.1.0:-:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*"
    ],
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "10.1.0-NA"
        },
        {
            "last_affected": "10.1.0-NA"
        },
        {
            "introduced": "10.1.0-milestone10"
        },
        {
            "last_affected": "10.1.0-milestone10"
        },
        {
            "introduced": "10.1.0-milestone11"
        },
        {
            "last_affected": "10.1.0-milestone11"
        },
        {
            "introduced": "10.1.0-milestone12"
        },
        {
            "last_affected": "10.1.0-milestone12"
        },
        {
            "introduced": "10.1.0-milestone13"
        },
        {
            "last_affected": "10.1.0-milestone13"
        },
        {
            "introduced": "10.1.0-milestone14"
        },
        {
            "last_affected": "10.1.0-milestone14"
        },
        {
            "introduced": "10.1.0-milestone15"
        },
        {
            "last_affected": "10.1.0-milestone15"
        },
        {
            "introduced": "10.1.0-milestone16"
        },
        {
            "last_affected": "10.1.0-milestone16"
        },
        {
            "introduced": "10.1.0-milestone17"
        },
        {
            "last_affected": "10.1.0-milestone17"
        },
        {
            "introduced": "10.1.0-milestone18"
        },
        {
            "last_affected": "10.1.0-milestone18"
        },
        {
            "introduced": "10.1.0-milestone19"
        },
        {
            "last_affected": "10.1.0-milestone19"
        },
        {
            "introduced": "10.1.0-milestone20"
        },
        {
            "last_affected": "10.1.0-milestone20"
        },
        {
            "introduced": "10.1.0-milestone7"
        },
        {
            "last_affected": "10.1.0-milestone7"
        },
        {
            "introduced": "10.1.0-milestone8"
        },
        {
            "last_affected": "10.1.0-milestone8"
        },
        {
            "introduced": "10.1.0-milestone9"
        },
        {
            "last_affected": "10.1.0-milestone9"
        }
    ]
}

Affected versions

10.*
10.1.0-NA
10.1.0-milestone10
10.1.0-milestone11
10.1.0-milestone12
10.1.0-milestone13
10.1.0-milestone14
10.1.0-milestone15
10.1.0-milestone16
10.1.0-milestone17
10.1.0-milestone18
10.1.0-milestone19
10.1.0-milestone20
10.1.0-milestone7
10.1.0-milestone8
10.1.0-milestone9

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29145.json"

Git / github.com/apache/tomcat-native

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat-native
Events
Database specific
{
    "cpe": "cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "1.1.23"
        },
        {
            "fixed": "1.3.7"
        },
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.14"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29145.json"