CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34500.json",
"cna_assigner": "apache",
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "11.0.0-M14"
},
{
"last_affected": "11.0.20"
},
{
"introduced": "10.1.22"
},
{
"last_affected": "10.1.53"
},
{
"introduced": "9.0.92"
},
{
"last_affected": "9.0.116"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"introduced": "11.0.0-M14"
},
{
"fixed": "11.0.20"
},
{
"introduced": "10.1.22"
},
{
"fixed": "10.1.53"
},
{
"introduced": "9.0.92"
},
{
"fixed": "9.0.116"
}
],
"source": "DESCRIPTION"
}
]
}{
"cpe": [
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "9.0.92"
},
{
"fixed": "9.0.117"
},
{
"introduced": "10.1.22"
},
{
"fixed": "10.1.54"
},
{
"introduced": "11.0.1"
},
{
"fixed": "11.0.21"
},
{
"introduced": "11.0.0-milestone14"
},
{
"last_affected": "11.0.0-milestone14"
},
{
"introduced": "11.0.0-milestone15"
},
{
"last_affected": "11.0.0-milestone15"
},
{
"introduced": "11.0.0-milestone16"
},
{
"last_affected": "11.0.0-milestone16"
},
{
"introduced": "11.0.0-milestone17"
},
{
"last_affected": "11.0.0-milestone17"
},
{
"introduced": "11.0.0-milestone18"
},
{
"last_affected": "11.0.0-milestone18"
},
{
"introduced": "11.0.0-milestone19"
},
{
"last_affected": "11.0.0-milestone19"
},
{
"introduced": "11.0.0-milestone20"
},
{
"last_affected": "11.0.0-milestone20"
},
{
"introduced": "11.0.0-milestone21"
},
{
"last_affected": "11.0.0-milestone21"
},
{
"introduced": "11.0.0-milestone22"
},
{
"last_affected": "11.0.0-milestone22"
},
{
"introduced": "11.0.0-milestone23"
},
{
"last_affected": "11.0.0-milestone23"
},
{
"introduced": "11.0.0-milestone24"
},
{
"last_affected": "11.0.0-milestone24"
},
{
"introduced": "11.0.0-milestone25"
},
{
"last_affected": "11.0.0-milestone25"
},
{
"introduced": "11.0.0-milestone26"
},
{
"last_affected": "11.0.0-milestone26"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}