{"id":"CVE-2026-29145","summary":"Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled","details":"CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\n\nUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.","aliases":["BIT-tomcat-2026-29145","GHSA-95jq-rwvf-vjx4"],"modified":"2026-07-11T03:54:48.142610854Z","published":"2026-04-09T19:20:24.601Z","related":["CGA-w4c6-8mq2-4848","SUSE-SU-2026:1558-1","SUSE-SU-2026:1572-1","SUSE-SU-2026:1603-1","SUSE-SU-2026:1604-1","SUSE-SU-2026:21366-1","SUSE-SU-2026:21378-1","SUSE-SU-2026:21379-1","openSUSE-SU-2026:10547-1","openSUSE-SU-2026:10548-1","openSUSE-SU-2026:10549-1","openSUSE-SU-2026:20595-1","openSUSE-SU-2026:20611-1","openSUSE-SU-2026:20612-1"],"database_specific":{"cna_assigner":"apache","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29145.json","unresolved_ranges":[{"extracted_events":[{"introduced":"11.0.0-M1"},{"last_affected":"11.0.18"},{"introduced":"10.1.0-M7"},{"last_affected":"10.1.52"},{"introduced":"9.0.83"},{"last_affected":"9.0.115"},{"introduced":"1.1.23"},{"last_affected":"1.1.34"},{"introduced":"1.2.0"},{"last_affected":"1.2.39"},{"introduced":"1.3.0"},{"last_affected":"1.3.6"},{"introduced":"2.0.0"},{"last_affected":"2.0.13"}],"source":"AFFECTED_FIELD"},{"extracted_events":[{"introduced":"11.0.0-M1"},{"fixed":"11.0.18"},{"introduced":"10.1.0-M7"},{"fixed":"10.1.52"},{"introduced":"9.0.83"},{"fixed":"9.0.115"},{"introduced":"1.1.23"},{"fixed":"1.1.34"},{"introduced":"1.2.0"},{"fixed":"1.2.39"},{"introduced":"1.3.0"},{"fixed":"1.3.6"},{"introduced":"2.0.0"},{"fixed":"2.0.13"}],"source":"DESCRIPTION"}]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/04/09/23"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29145.json"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29145"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e9d17cddc285615807ec5fef09240777436b25dc"},{"last_affected":"02d546ba3c553c74ff1a99ecc166a6ff9c501ba8"}],"database_specific":{"extracted_events":[{"introduced":"10.1.0-NA"},{"last_affected":"10.1.0-NA"},{"introduced":"10.1.0-milestone10"},{"last_affected":"10.1.0-milestone10"},{"introduced":"10.1.0-milestone11"},{"last_affected":"10.1.0-milestone11"},{"introduced":"10.1.0-milestone12"},{"last_affected":"10.1.0-milestone12"},{"introduced":"10.1.0-milestone13"},{"last_affected":"10.1.0-milestone13"},{"introduced":"10.1.0-milestone14"},{"last_affected":"10.1.0-milestone14"},{"introduced":"10.1.0-milestone15"},{"last_affected":"10.1.0-milestone15"},{"introduced":"10.1.0-milestone16"},{"last_affected":"10.1.0-milestone16"},{"introduced":"10.1.0-milestone17"},{"last_affected":"10.1.0-milestone17"},{"introduced":"10.1.0-milestone18"},{"last_affected":"10.1.0-milestone18"},{"introduced":"10.1.0-milestone19"},{"last_affected":"10.1.0-milestone19"},{"introduced":"10.1.0-milestone20"},{"last_affected":"10.1.0-milestone20"},{"introduced":"10.1.0-milestone7"},{"last_affected":"10.1.0-milestone7"},{"introduced":"10.1.0-milestone8"},{"last_affected":"10.1.0-milestone8"},{"introduced":"10.1.0-milestone9"},{"last_affected":"10.1.0-milestone9"}],"source":"CPE_STRING","cpe":["cpe:2.3:a:apache:tomcat:10.1.0:-:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*","cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*"]}}],"versions":["10.1.0-NA","10.1.0-milestone10","10.1.0-milestone11","10.1.0-milestone12","10.1.0-milestone13","10.1.0-milestone14","10.1.0-milestone15","10.1.0-milestone16","10.1.0-milestone17","10.1.0-milestone18","10.1.0-milestone19","10.1.0-milestone20","10.1.0-milestone7","10.1.0-milestone8","10.1.0-milestone9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29145.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat-native","events":[{"introduced":"71090a48b31816e3d5a0646be5c3e7b2b533bf07"},{"fixed":"c51879b3c49b35807d70f5667cf3230035babd97"},{"introduced":"39c19afe4a3df7ea4fda778d82dc25bd494a110c"},{"fixed":"ad89e96bdc47f9a75dbafb04ec08d60e9042708b"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:apache:tomcat_native:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.1.23"},{"fixed":"1.3.7"},{"introduced":"2.0.0"},{"fixed":"2.0.14"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29145.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}