CVE-2026-29145 - Vulnerability Analysis

Overview

Apache Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, 9.0.83 through 9.0.115 and Apache Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, 2.0.0 through 2.0.13 contain an authentication bypass caused by CLIENT_CERT authentication not failing as expected when soft fail is disabled, letting attackers bypass authentication, exploit requires specific CLIENT_CERT authentication configuration.

Severity & Score

Impact

Attackers can bypass CLIENT_CERT authentication, potentially gaining unauthorized access to the system.

Mitigation

Upgrade to Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53, 9.0.116.

References

• https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz
• http://www.openwall.com/lists/oss-security/2026/04/09/23

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 12, 2026

🔴 CVE-2026-29145 - Critical (9.1) CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29145/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

• https://github.com/gregk4sec/cve-2026-29145

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner