Improper Input Validation in Apache Tomcat Native and Apache Tomcat
CVE-2026-24734

7.4HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat Native; Apache Tomcat
Vendor: CVE Published:; 17 February 2026

What is CVE-2026-24734?

An improper input validation vulnerability in Apache Tomcat Native and Apache Tomcat has been identified, where the lack of verification and freshness checks on OCSP responses could potentially allow attackers to bypass certificate revocation mechanisms. This issue affects specific versions of both Apache Tomcat Native and Apache Tomcat, leading to potential security risks for users who have not updated to the recommended versions. Users are urged to upgrade to versions 1.3.5 or later for Tomcat Native and 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later for Apache Tomcat to mitigate the risks associated with this vulnerability.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.17

Apache Tomcat 10.1.0-M7 <= 10.1.51

Apache Tomcat 9.0.83 <= 9.0.114

References

https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpo...

vendor-advisory

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2026
Vulnerability Reserved
Jan 26, 2026

Credit

Joshua Rogers (@MegaManSec)

CVE-2026-24734 Data

JSON