CVE-2026-24734
Published: 17 February 2026
Summary
CVE-2026-24734 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24734 is an Improper Input Validation vulnerability (CWE-20) affecting Apache Tomcat Native and Apache Tomcat. Specifically, when using an OCSP responder, Tomcat Native (versions 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11) and Tomcat's FFM port of the Tomcat Native code fail to complete verification or freshness checks on OCSP responses, enabling attackers to bypass certificate revocation checks. The vulnerability also impacts Apache Tomcat versions 11.0.0-M1 through 11.0.17, 10.1.0-M7 through 10.1.51, and 9.0.83 through 9.0.114, as well as end-of-life Tomcat Native versions 1.1.23 through 1.1.34 and 1.2.0 through 1.2.39.
Remote attackers require no privileges or user interaction (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and can exploit this over the network with low complexity. By providing a malicious or stale OCSP response that is not properly validated, attackers can prevent the detection of revoked certificates, potentially allowing continued use of compromised certificates for secure connections and enabling integrity violations such as impersonation or man-in-the-middle attacks.
Apache advisories recommend upgrading Apache Tomcat Native to 1.3.5 or later, or 2.0.12 or later, and Apache Tomcat to 11.0.18 or later, 10.1.52 or later, or 9.0.115 or later to mitigate the issue. Additional details are available in the Apache security announcement at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7833
Vulnerability details
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow…
more
certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Tomcat allows remote unauthenticated exploitation to bypass OCSP revocation checks; description explicitly enables impersonation and man-in-the-middle attacks via compromised certificates.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of software flaws such as the improper OCSP response validation in vulnerable Apache Tomcat versions.
Mandates validation of certificate revocation status via proper OCSP response verification and freshness checks, directly preventing the bypass enabled by this vulnerability.
Enforces validation of critical inputs like OCSP responses to reject malicious or stale data that could bypass certificate revocation checks.