CVE-2026-29145: Apache Tomcat: CLIENT_CERT authentication does not fail as expected

April 9, 2026 (updated April 10, 2026)

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

References

github.com/advisories/GHSA-95jq-rwvf-vjx4
github.com/apache/tomcat
lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz
nvd.nist.gov/vuln/detail/CVE-2026-29145

Code Behaviors & Features

Detect and mitigate CVE-2026-29145 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →