PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24734 Apache CVE debrief

CVE-2026-24734 is an Improper Input Validation vulnerability in Apache Tomcat Native and Apache Tomcat. When using an OCSP responder, Tomcat Native did not complete verification or freshness checks on the OCSP response, which could allow certificate revocation to be bypassed. This issue affects multiple versions of Apache Tomcat Native and Apache Tomcat. Users are recommended to upgrade to fixed versions to mitigate the vulnerability.

Vendor
Apache
Product
Tomcat
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-17
Original CVE updated
2026-06-30
Advisory published
2026-02-17
Advisory updated
2026-06-30

Who should care

Apache Tomcat users and administrators should be aware of this vulnerability, especially those using OCSP responders. Upgrading to fixed versions is crucial to prevent potential certificate revocation bypass.

Technical summary

The vulnerability exists in Apache Tomcat Native and Tomcat's FFM port of the Tomcat Native code. It affects Apache Tomcat Native versions from 1.3.0 through 1.3.4 and from 2.0.0 through 2.0.11, and Apache Tomcat versions from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, and from 9.0.83 through 9.0.114. The issue allows an attacker to bypass certificate revocation checks when using an OCSP responder.

Defensive priority

High priority should be given to upgrading affected versions of Apache Tomcat Native and Apache Tomcat. Users should apply patches or upgrade to versions 1.3.5 or later of Tomcat Native, or to versions 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later of Apache Tomcat.

Recommended defensive actions

  • Upgrade Apache Tomcat Native to version 1.3.5 or later
  • Upgrade Apache Tomcat to version 11.0.18 or later
  • Upgrade Apache Tomcat to version 10.1.52 or later
  • Upgrade Apache Tomcat to version 9.0.115 or later
  • Review and update inventory of Apache Tomcat and Tomcat Native installations
  • Monitor for potential exploitation attempts

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability, including affected versions and recommended patches. Multiple vendor advisories and errata are available, indicating the importance of addressing this issue.

Official resources

This article is AI-assisted and based on the supplied source corpus.