CVE-2026-29145 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-29145

CVE-2026-29145

Published:April 09, 2026

Updated:April 20, 2026

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Affected Packages

https://github.com/apache/tomcat.git (GITHUB):

Affected version(s) >=9.0.83 <9.0.116

Fix Suggestion:

Update to version 9.0.116

https://github.com/apache/tomcat.git (GITHUB):

Affected version(s) >=11.0.0-M1 <11.0.20

Fix Suggestion:

Update to version 11.0.20

https://github.com/apache/tomcat.git (GITHUB):

Affected version(s) >=10.1.0-M7 <10.1.53

Fix Suggestion:

Update to version 10.1.53

org.apache.tomcat:tomcat-coyote (JAVA):

Affected version(s) >=9.0.83 <9.0.116

Fix Suggestion:

Update to version 9.0.116

org.apache.tomcat.embed:tomcat-embed-core (JAVA):

Affected version(s) >=11.0.0-M1 <11.0.20

Fix Suggestion:

Update to version 11.0.20

org.apache.tomcat:tomcat-catalina (JAVA):

Affected version(s) >=10.1.0-M7 <10.1.53

Fix Suggestion:

Update to version 10.1.53

org.apache.tomcat:tomcat-coyote (JAVA):

Affected version(s) >=10.1.0-M7 <10.1.53

Fix Suggestion:

Update to version 10.1.53

org.apache.tomcat:tomcat-coyote (JAVA):

Affected version(s) >=11.0.0-M1 <11.0.20

Fix Suggestion:

Update to version 11.0.20

org.apache.tomcat:tomcat-catalina (JAVA):

Affected version(s) >=11.0.0-M1 <11.0.20

Fix Suggestion:

Update to version 11.0.20

org.apache.tomcat.embed:tomcat-embed-core (JAVA):

Affected version(s) >=9.0.83 <9.0.116

Fix Suggestion:

Update to version 9.0.116

org.apache.tomcat.embed:tomcat-embed-core (JAVA):

Affected version(s) >=10.1.0-M7 <10.1.53

Fix Suggestion:

Update to version 10.1.53

org.apache.tomcat:tomcat-catalina (JAVA):

Affected version(s) >=9.0.83 <9.0.116

Fix Suggestion:

Update to version 9.0.116

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-29145

https://github.com/apache/tomcat

https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz

http://www.openwall.com/lists/oss-security/2026/04/09/23

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Weakness Type (CWE)

Improper Authentication

CWE-287

EPSS

Base Score:

0.12

Products

Solutions

Resources

Company

Compare

Developer Tools