There are a variety of new CVEs out for Tomcat versions 9 - 11. Please
make sure you're running the most recent versions.
https://tomcat.apache.org/
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Tue, Feb 17, 2026 at 11:30 AM
Subject: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP
revocation bypass
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx
<announce@xxxxxxxxxxxxxxxxx>, <announce@xxxxxxxxxx>, Tomcat Developers List
<dev@xxxxxxxxxxxxxxxxx>
CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat Native 2.0.0 to 2.0.11
Apache Tomcat Native 1.3.0 to 1.3.4
Apache Tomcat 11.0.0-M1 to 11.0.17
Apache Tomcat 10.1.0-M7 to 10.1.51
Apache Tomcat 9.0.83 to 9.0.114
Older, EOL versions may also be affected
Description:
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of
the Tomcat Native code) did not complete verification or freshness
checks on the OCSP response which could allow certificate revocation to
be bypassed.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat Native 2.0.12 or later
- Upgrade to Apache Tomcat Native 1.3.5 or later
- Upgrade to Apache Tomcat 11.0.18 or later
- Upgrade to Apache Tomcat 10.1.52 or later
- Upgrade to Apache Tomcat 9.0.115 or later
Credit:
This issue was identified by Joshua Rogers (@MegaManSec)
History:
2026-02-17 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
--
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter NSF Unidata
Software Engineer IV P.O. Box 3000
oxelson@xxxxxxxx Boulder, CO 80307
------------------------------------------------------------------------------------