Improper Client Certificate Authentication in Apache Tomcat
CVE-2026-34500

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34500?

An issue has been identified in Apache Tomcat where CLIENT_CERT authentication may not fail as intended under certain conditions when soft fail is disabled, especially during the use of Forwarded for Metrics (FFM). This vulnerability impacts multiple versions of Apache Tomcat, potentially exposing users to unauthorized access. Users are strongly advised to upgrade to versions 11.0.21, 10.1.54, or 9.0.117 to mitigate the risks associated with this flaw.

Affected Version(s)

Apache Tomcat 11.0.0-M14 <= 11.0.20

Apache Tomcat 10.1.22 <= 10.1.53

Apache Tomcat 9.0.92 <= 9.0.116

References

https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqp...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Haruki Oyama (Waseda University)

CVE-2026-34500 Data

JSON