[SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

Mark Thomas Tue, 17 Feb 2026 10:25:34 -0800

CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass


Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected

Description:

When using an OCSP responder, Tomcat Native (and Tomcat's FFM port ofthe Tomcat Native code) did not complete verification or freshnesschecks on the OCSP response which could allow certificate revocation tobe bypassed.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later

Credit:
This issue was identified by Joshua Rogers (@MegaManSec)

History:
2026-02-17 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

[SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass

Reply via email to