CVE-2026-29145 Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

🗓️ 09 Apr 2026 19:20:24Reported by apacheType

OCSP soft-fail bug may not fail client certificate authentication when disabled.

Reporter	Title	Published	Views	Family All 109
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM DataStax Enterprise	27 May 202617:14	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in tomcat-embed-core-11.0.18.jar	13 May 202616:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Integration Bus for z/OS is vulnerable to multiple vulnerabilities due to Apache Tomcat	14 May 202614:09	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Apache Tomcat and Lodash might affect IBM Storage Defender Copy Data Management	4 May 202616:20	–	ibm
IBM Security Bulletins	Security Bulletin: The Apache Tomcat application server that is shipped with IBM ApplinX is vulnerable to multiple vulnerabilities.	16 Jun 202617:54	–	ibm
IBM Security Bulletins	Security Bulletin: MongoDB Enterprised Advanced affected by: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), URL Redirection to Untrusted Site ('Open Redirect'), and 3 more (CVE-2026-24880, CVE-2026-25854, and 3 more)	16 Jun 202614:13	–	ibm
GithubExploit	Exploit for Improper Authentication in Apache Tomcat	23 Apr 202617:26	–	githubexploit
ATTACKERKB	CVE-2026-29145	9 Apr 202619:20	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : tomcat-native (ALAS2023-2026-1595)	30 Apr 202600:00	–	nessus
Tenable Nessus	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2026-1672)	20 May 202600:00	–	nessus

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "11.0.18",
        "status": "affected",
        "version": "11.0.0-M1",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "10.1.52",
        "status": "affected",
        "version": "10.1.0-M7",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "9.0.115",
        "status": "affected",
        "version": "9.0.83",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "8.5.100",
        "status": "unaffected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tomcat Native",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.1.34",
        "status": "affected",
        "version": "1.1.23",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "1.2.39",
        "status": "affected",
        "version": "1.2.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "1.3.6",
        "status": "affected",
        "version": "1.3.0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "2.0.13",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

09 Apr 2026 19:20Current

EPSS0.00664