CVE-2026-34500

NameCVE-2026-34500
DescriptionCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133356, 1133357

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm10.1.34-0+deb12u2vulnerable
bookworm (security)10.1.52-1~deb12u1vulnerable
trixie (security), trixie10.1.52-1~deb13u1vulnerable
forky, sid10.1.54-1fixed
tomcat11 (PTS)trixie (security), trixie11.0.15-1~deb13u1vulnerable
forky, sid11.0.21-1fixed
tomcat9 (PTS)bullseye9.0.43-2~deb11u10vulnerable
bullseye (security)9.0.107-0+deb11u2fixed
bookworm9.0.70-2fixed
trixie9.0.95-1fixed
forky, sid9.0.115-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)10.1.54-11133356
tomcat11source(unstable)11.0.21-11133357
tomcat9source(unstable)9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
Fixed by: https://github.com/apache/tomcat/commit/c13e60e732ea6d07087293a41ad1866c20848271 (11.0.21)
Fixed by: https://github.com/apache/tomcat/commit/29b56a56ce9e7d044b6162a99af0f38529b3a208 (10.1.54)
Fixed by: https://github.com/apache/tomcat/commit/ff589ab26e8250a2ca4286d986305318c033ff9f (9.0.117)
https://www.openwall.com/lists/oss-security/2026/04/09/29
Search for package or bug name: Reporting problems