CVE-2026-29145 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 10, 2026
Apache Tomcat - Authentication Bypass
Published: April 9, 2026Updated: April 10, 2026Remote Exploitable
Overview
Apache Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, 9.0.83 through 9.0.115 and Apache Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, 2.0.0 through 2.0.13 contain an authentication bypass caused by CLIENT_CERT authentication not failing as expected when soft fail is disabled, letting attackers bypass authentication, exploit requires specific CLIENT_CERT authentication configuration.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can bypass CLIENT_CERT authentication, potentially gaining unauthorized access to the system.
Mitigation
Upgrade to Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53, 9.0.116.
References
Related Resources
Details
- CVE ID
- CVE-2026-29145
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N