CVE-2026-24734: Apache Tomcat Coyote FFM OCSP verification bypass

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.

When using an OCSP responder, Tomcat Native (and Tomcat’s FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

The vulnerable code is in the OpenSSLEngine class within the org.apache.tomcat.util.net.openssl.panama package, which is shipped in the tomcat-coyote-ffm artifact.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.

Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.