CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29145.json",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "11.0.0-M1"
},
{
"last_affected": "11.0.18"
},
{
"introduced": "10.1.0-M7"
},
{
"last_affected": "10.1.52"
},
{
"introduced": "9.0.83"
},
{
"last_affected": "9.0.115"
},
{
"introduced": "1.1.23"
},
{
"last_affected": "1.1.34"
},
{
"introduced": "1.2.0"
},
{
"last_affected": "1.2.39"
},
{
"introduced": "1.3.0"
},
{
"last_affected": "1.3.6"
},
{
"introduced": "2.0.0"
},
{
"last_affected": "2.0.13"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "11.0.0-M1"
},
{
"fixed": "11.0.18"
},
{
"introduced": "10.1.0-M7"
},
{
"fixed": "10.1.52"
},
{
"introduced": "9.0.83"
},
{
"fixed": "9.0.115"
},
{
"introduced": "1.1.23"
},
{
"fixed": "1.1.34"
},
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.39"
},
{
"introduced": "1.3.0"
},
{
"fixed": "1.3.6"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.13"
}
]
}
],
"cna_assigner": "apache"
}{
"cpe": [
"cpe:2.3:a:apache:tomcat:10.1.0:-:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*"
],
"source": "CPE_STRING",
"extracted_events": [
{
"introduced": "10.1.0-NA"
},
{
"last_affected": "10.1.0-NA"
},
{
"introduced": "10.1.0-milestone10"
},
{
"last_affected": "10.1.0-milestone10"
},
{
"introduced": "10.1.0-milestone11"
},
{
"last_affected": "10.1.0-milestone11"
},
{
"introduced": "10.1.0-milestone12"
},
{
"last_affected": "10.1.0-milestone12"
},
{
"introduced": "10.1.0-milestone13"
},
{
"last_affected": "10.1.0-milestone13"
},
{
"introduced": "10.1.0-milestone14"
},
{
"last_affected": "10.1.0-milestone14"
},
{
"introduced": "10.1.0-milestone15"
},
{
"last_affected": "10.1.0-milestone15"
},
{
"introduced": "10.1.0-milestone16"
},
{
"last_affected": "10.1.0-milestone16"
},
{
"introduced": "10.1.0-milestone17"
},
{
"last_affected": "10.1.0-milestone17"
},
{
"introduced": "10.1.0-milestone18"
},
{
"last_affected": "10.1.0-milestone18"
},
{
"introduced": "10.1.0-milestone19"
},
{
"last_affected": "10.1.0-milestone19"
},
{
"introduced": "10.1.0-milestone20"
},
{
"last_affected": "10.1.0-milestone20"
},
{
"introduced": "10.1.0-milestone7"
},
{
"last_affected": "10.1.0-milestone7"
},
{
"introduced": "10.1.0-milestone8"
},
{
"last_affected": "10.1.0-milestone8"
},
{
"introduced": "10.1.0-milestone9"
},
{
"last_affected": "10.1.0-milestone9"
}
]
}