CVE-2026-29145
Published: Apr 9, 2026
Modified: Apr 10, 2026
Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Tomcat | affected 11.0.0-M1 - <= 11.0.18affected 10.1.0-M7 - <= 10.1.52affected 9.0.83 - <= 9.0.115unaffected 0 - <= 8.5.100 |
Apache Software Foundation | Apache Tomcat Native | affected 1.1.23 - <= 1.1.34affected 1.2.0 - <= 1.2.39affected 1.3.0 - <= 1.3.6affected 2.0.0 - <= 2.0.13 |
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now