CVE-2026-24734: Apache Tomcat OCSP verification bypass

February 17, 2026

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.

When using an OCSP responder, Tomcat Native (and Tomcat’s FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.

Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

References

github.com/advisories/GHSA-mgp5-rv84-w37q
lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
nvd.nist.gov/vuln/detail/CVE-2026-24734

Code Behaviors & Features

Detect and mitigate CVE-2026-24734 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →