CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected
Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation to
be bypassed.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later
Credit:
This issue was identified by Joshua Rogers (@MegaManSec)
History:
2026-02-17 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
