CVE-2026-29145CRITICAL 9.1EPSS p46.9%

CVE-2026-29145CVE-2026-29145

Description

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.66% probability of exploitation · percentile 46.9% · 2026-06-19T12:03:05Z
Published2026-04-09
Last modified2026-04-14

Underlying weaknesses· 1

CWE-287

References

  1. https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz
  2. http://www.openwall.com/lists/oss-security/2026/04/09/23

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66614
CVE
CVE-2026-43512
CVE
CVE-2026-43515
CVE
CVE-2026-41293
CVE
CVE-2025-31651
CVE
Apache Tomcat Improper Privilege Management Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.