Tomcat patches CLIENT_CERT authentication soft-fail bug
TL;DR — A Critical Tomcat CLIENT_CERT authentication failure mode can let certificate-based auth succeed in scenarios where it should hard-fail, undermining mTLS-based access control.
What happened
Apache Tomcat is a widely deployed Java servlet container (and embedded web server) used to run Java web applications, including many Spring Boot deployments via embedded Tomcat. A GitHub-reviewed advisory for CVE-2026-29145 reports that CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled, impacting both Apache Tomcat and Apache Tomcat Native.
The upstream oss-security announcement frames the issue as: “OCSP checks sometimes soft-fail even when soft-fail is disabled,” tying the bug to revocation / validation failure handling in certificate-authenticated flows.
| Item | Source value |
|---|---|
| Affected software | Apache Tomcat; Apache Tomcat Native |
| Impact | CLIENT_CERT authentication does not fail as expected in some scenarios when soft fail is disabled |
| Severity | CVSS v3.1 9.1 (Critical) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) |
| Weakness | CWE-287 (Improper Authentication) |
| Affected versions | Tomcat 11.0.0-M1 through 11.0.18; 10.1.0-M7 through 10.1.52; 9.0.83 through 9.0.115; Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, 2.0.0 through 2.0.13 |
| Fixed versions (vendor) | Tomcat 11.0.20, 10.1.53, 9.0.116; Tomcat Native 1.3.7 or 2.0.14 |
Authentication failure handling is a recurring “sharp edge” in mTLS / client-cert deployments: when a system is configured to hard-fail but still allows success in edge cases, teams tend to overestimate the protection provided by CLIENT_CERT gates. Given Tomcat’s footprint in Java application stacks, this is the kind of auth-layer bug that can translate into broad exposure when the feature is used as a primary trust boundary.
Who is impacted
- Organizations running affected Apache Tomcat or Tomcat Native versions (including embedded Tomcat distributions) where
CLIENT_CERTauthentication is relied on. - Deployments that explicitly disable soft-fail behavior for certificate validation/revocation-related checks (the advisory states the failure mode occurs under this configuration in some scenarios).
- Higher-risk environments where client-certificate authentication is used as a primary control for administrative or partner/API access paths (i.e., where a “should hard-fail” condition is security-significant).
What to do now
- Follow vendor remediation guidance and apply the fixed releases for your Tomcat line.
"Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue."
- Inventory Tomcat usage across your fleet, including:
- standalone Tomcat installations
- embedded Tomcat (e.g., via
org.apache.tomcat.embed:tomcat-embed-core) - sidecars / base images that may bundle Tomcat Native.
- Identify services using
CLIENT_CERTauth and review whether any “soft fail disabled” configuration is present; treat affected instances as auth-boundary risk until patched. - After patching, validate behavior with negative tests (revoked/unverifiable client cert scenarios) to ensure your deployment fails closed as expected.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.