CVE-2026-29145
Published: 09 April 2026
Summary
CVE-2026-29145 is a critical-severity Improper Authentication (CWE-287) vulnerability in Apache Tomcat. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-29145 by requiring timely remediation of flaws through vendor-recommended upgrades to Apache Tomcat and Tomcat Native.
Enforces approved authorizations for logical access to prevent unauthorized access resulting from the CLIENT_CERT authentication bypass.
Requires unique identification and authentication for non-organizational users, addressing improper handling in Tomcat's CLIENT_CERT mechanism exploited by remote attackers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-29145 enables remote attackers to bypass CLIENT_CERT authentication in Apache Tomcat, a public-facing web application server, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache…
more
Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Deeper analysisAI
CVE-2026-29145 is a vulnerability in the CLIENT_CERT authentication mechanism of Apache Tomcat and Apache Tomcat Native, where authentication does not fail as expected in certain scenarios even when soft fail is disabled. This improper authentication issue, classified under CWE-287, affects Apache Tomcat versions from 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Apache Tomcat Native versions from 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows unauthorized access by bypassing CLIENT_CERT authentication checks, potentially enabling attackers to read sensitive data or modify application state without proper validation.
Apache advisories recommend upgrading to Apache Tomcat Native 1.3.7 or 2.0.14, alongside Apache Tomcat 11.0.20, 10.1.53, or 9.0.116, which address the issue. Detailed discussions are available in the Apache mailing list announcement at https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/23.
Details
- CWE(s)