PatchSiren cyber security CVE debrief
CVE-2026-24734 Apache CVE debrief
CVE-2026-24734 is an Improper Input Validation vulnerability in Apache Tomcat Native and Apache Tomcat. When using an OCSP responder, Tomcat Native did not complete verification or freshness checks on the OCSP response, which could allow certificate revocation to be bypassed. This issue affects multiple versions of Apache Tomcat Native and Apache Tomcat. Users are recommended to upgrade to fixed versions to mitigate the vulnerability.
- Vendor
- Apache
- Product
- Tomcat
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-17
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-17
- Advisory updated
- 2026-06-30
Who should care
Apache Tomcat users and administrators should be aware of this vulnerability, especially those using OCSP responders. Upgrading to fixed versions is crucial to prevent potential certificate revocation bypass.
Technical summary
The vulnerability exists in Apache Tomcat Native and Tomcat's FFM port of the Tomcat Native code. It affects Apache Tomcat Native versions from 1.3.0 through 1.3.4 and from 2.0.0 through 2.0.11, and Apache Tomcat versions from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, and from 9.0.83 through 9.0.114. The issue allows an attacker to bypass certificate revocation checks when using an OCSP responder.
Defensive priority
High priority should be given to upgrading affected versions of Apache Tomcat Native and Apache Tomcat. Users should apply patches or upgrade to versions 1.3.5 or later of Tomcat Native, or to versions 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later of Apache Tomcat.
Recommended defensive actions
- Upgrade Apache Tomcat Native to version 1.3.5 or later
- Upgrade Apache Tomcat to version 11.0.18 or later
- Upgrade Apache Tomcat to version 10.1.52 or later
- Upgrade Apache Tomcat to version 9.0.115 or later
- Review and update inventory of Apache Tomcat and Tomcat Native installations
- Monitor for potential exploitation attempts
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability, including affected versions and recommended patches. Multiple vendor advisories and errata are available, indicating the importance of addressing this issue.
Official resources
-
CVE-2026-24734 CVE record
CVE.org
-
CVE-2026-24734 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Mailing List, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.