CVE-2026-29145

CVE-2026-29145 is a vulnerability in the CLIENT_CERT authentication mechanism of Apache Tomcat and Apache Tomcat Native, where authentication does not fail as expected in certain scenarios even when soft fail is disabled. This improper authentication issue, classified under CWE-287, affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Apache Tomcat Native versions from 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows unauthorized access by bypassing CLIENT_CERT authentication checks, potentially enabling attackers to read sensitive data or modify application state without proper validation.

Apache advisories recommend upgrading to Apache Tomcat Native 1.3.7 or 2.0.14, alongside Apache Tomcat 11.0.20, 10.1.53, or 9.0.116, which address the issue. Detailed discussions are available in the Apache mailing list announcement at https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/23.