Cyber Resilience

CVE-2026-24734

High

Published: 17 February 2026

Published
17 February 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0009 25.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24734 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24734 is an Improper Input Validation vulnerability (CWE-20) affecting Apache Tomcat Native and Apache Tomcat. Specifically, when using an OCSP responder, Tomcat Native (versions 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11) and Tomcat's FFM port of the Tomcat Native code fail to complete verification or freshness checks on OCSP responses, enabling attackers to bypass certificate revocation checks. The vulnerability also impacts Apache Tomcat versions 11.0.0-M1 through 11.0.17, 10.1.0-M7 through 10.1.51, and 9.0.83 through 9.0.114, as well as end-of-life Tomcat Native versions 1.1.23 through 1.1.34 and 1.2.0 through 1.2.39.

Remote attackers require no privileges or user interaction (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and can exploit this over the network with low complexity. By providing a malicious or stale OCSP response that is not properly validated, attackers can prevent the detection of revoked certificates, potentially allowing continued use of compromised certificates for secure connections and enabling integrity violations such as impersonation or man-in-the-middle attacks.

Apache advisories recommend upgrading Apache Tomcat Native to 1.3.5 or later, or 2.0.12 or later, and Apache Tomcat to 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later to mitigate the issue. Additional details are available in the Apache security announcement at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml.

EU & UK References

Vulnerability details

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow…

more

certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability in public-facing Tomcat allows remote unauthenticated exploitation to bypass OCSP revocation checks; description explicitly enables impersonation and man-in-the-middle attacks via compromised certificates.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-29145Same product: Apache Tomcat
CVE-2026-41293Same product: Apache Tomcat
CVE-2025-66614Same product: Apache Tomcat
CVE-2026-34486Same product: Apache Tomcat
CVE-2026-42498Same product: Apache Tomcat
CVE-2026-24880Same product: Apache Tomcat
CVE-2025-55754Same product: Apache Tomcat
CVE-2026-43512Same product: Apache Tomcat
CVE-2025-48913Same vendor: Apache
CVE-2026-34483Same product: Apache Tomcat

Affected Assets

apache
tomcat
10.1.0, 11.0.0 · 9.0.83 — 9.0.115 · 10.1.1 — 10.1.52 · 11.0.1 — 11.0.18
apache
tomcat native
1.3.0 — 1.3.5 · 2.0.0 — 2.0.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of software flaws such as the improper OCSP response validation in vulnerable Apache Tomcat versions.

prevent

Mandates validation of certificate revocation status via proper OCSP response verification and freshness checks, directly preventing the bypass enabled by this vulnerability.

prevent

Enforces validation of critical inputs like OCSP responses to reject malicious or stale data that could bypass certificate revocation checks.

References