CVE-2026-24734
Published: 17 February 2026
Summary
CVE-2026-24734 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Tomcat allows remote unauthenticated exploitation to bypass OCSP revocation checks; description explicitly enables impersonation and man-in-the-middle attacks via compromised certificates.
NVD Description
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow…
more
certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
Deeper analysisAI
CVE-2026-24734 is an Improper Input Validation vulnerability (CWE-20) affecting Apache Tomcat Native and Apache Tomcat. Specifically, when using an OCSP responder, Tomcat Native (versions 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11) and Tomcat's FFM port of the Tomcat Native code fail to complete verification or freshness checks on OCSP responses, enabling attackers to bypass certificate revocation checks. The vulnerability also impacts Apache Tomcat versions 11.0.0-M1 through 11.0.17, 10.1.0-M7 through 10.1.51, and 9.0.83 through 9.0.114, as well as end-of-life Tomcat Native versions 1.1.23 through 1.1.34 and 1.2.0 through 1.2.39.
Remote attackers require no privileges or user interaction (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and can exploit this over the network with low complexity. By providing a malicious or stale OCSP response that is not properly validated, attackers can prevent the detection of revoked certificates, potentially allowing continued use of compromised certificates for secure connections and enabling integrity violations such as impersonation or man-in-the-middle attacks.
Apache advisories recommend upgrading Apache Tomcat Native to 1.3.5 or later, or 2.0.12 or later, and Apache Tomcat to 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later to mitigate the issue. Additional details are available in the Apache security announcement at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml.
Details
- CWE(s)