CVE-2026-34500 Overview
CVE-2026-34500 is an authentication bypass vulnerability in Apache Tomcat affecting the CLIENT_CERT authentication mechanism. When soft fail is disabled and the Foreign Function Memory (FFM) API is used, CLIENT_CERT authentication does not fail as expected in certain scenarios, potentially allowing unauthorized access to protected resources.
This vulnerability impacts Apache Tomcat versions across three major branches: 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. Organizations relying on client certificate authentication for securing sensitive applications should evaluate their exposure immediately.
Critical Impact
Authentication bypass in CLIENT_CERT scenarios could allow unauthorized users to access protected resources when soft fail is disabled and FFM is in use.
Affected Products
- Apache Tomcat 11.0.0-M14 through 11.0.20
- Apache Tomcat 10.1.22 through 10.1.53
- Apache Tomcat 9.0.92 through 9.0.116
Discovery Timeline
- 2026-04-09 - CVE CVE-2026-34500 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34500
Vulnerability Analysis
This vulnerability exists within Apache Tomcat's CLIENT_CERT authentication handling when specific conditions are met. The authentication mechanism fails to properly validate client certificates under certain scenarios when two conditions coincide: soft fail mode is disabled in the SSL/TLS configuration, and the application uses the Foreign Function Memory (FFM) API introduced in newer Java versions.
Under normal operation, when a client fails to present a valid certificate during CLIENT_CERT authentication, the connection should be rejected. However, this vulnerability causes the authentication process to succeed unexpectedly in certain edge cases, bypassing the intended security controls.
The issue appears to be related to how the FFM API interacts with the native SSL implementation and the error handling paths within Tomcat's authentication framework. When soft fail is explicitly disabled (meaning the server should strictly enforce certificate requirements), the expected failure condition is not properly triggered.
Root Cause
The root cause stems from improper error handling in the CLIENT_CERT authentication flow when using the Foreign Function Memory (FFM) API. The FFM-based SSL implementation does not correctly propagate certificate validation failures to the authentication layer when soft fail is disabled, causing the authentication check to pass when it should fail.
Attack Vector
An attacker could exploit this vulnerability by connecting to a Tomcat server that uses CLIENT_CERT authentication with soft fail disabled and FFM enabled. By presenting an invalid, expired, or missing client certificate, the attacker may bypass authentication controls and gain unauthorized access to protected resources.
The attack requires:
- Target Tomcat server using CLIENT_CERT authentication
- Soft fail mode explicitly disabled in the connector configuration
- FFM API enabled (typically through Java 21+ with native memory access)
- Network access to the affected Tomcat instance
For technical details and discussion, refer to the Apache Security Discussion Thread.
Detection Methods for CVE-2026-34500
Indicators of Compromise
- Successful authentication events for users who should have been rejected due to certificate failures
- Authentication logs showing access granted without corresponding valid certificate presentation
- Unusual access patterns to CLIENT_CERT protected resources from unexpected sources
- SSL handshake logs showing certificate validation anomalies
Detection Strategies
- Review authentication logs for CLIENT_CERT protected applications to identify unexpected successful authentications
- Monitor for access to protected resources from clients that historically failed certificate validation
- Implement additional logging around SSL/TLS certificate validation events
- Cross-reference application access logs with certificate validation results
Monitoring Recommendations
- Enable detailed SSL/TLS debugging (javax.net.debug=ssl,handshake) in non-production environments to understand authentication behavior
- Configure Tomcat access logging to capture client certificate details for audit purposes
- Implement alerts for authentication anomalies on CLIENT_CERT protected endpoints
- Monitor Java process for FFM API usage patterns in conjunction with SSL operations
How to Mitigate CVE-2026-34500
Immediate Actions Required
- Upgrade Apache Tomcat to version 11.0.21, 10.1.54, or 9.0.117 depending on your branch
- If immediate upgrade is not possible, consider temporarily enabling soft fail mode or disabling FFM as a workaround
- Audit access logs for any unauthorized access that may have occurred during the vulnerable period
- Review and validate all CLIENT_CERT authentication configurations
Patch Information
Apache has released patched versions that fix this authentication bypass:
| Affected Branch | Fixed Version |
|---|---|
| Tomcat 11.x | 11.0.21 |
| Tomcat 10.1.x | 10.1.54 |
| Tomcat 9.0.x | 9.0.117 |
Users are strongly recommended to upgrade to the fixed versions immediately. For additional information, see the Apache Security Discussion Thread.
Workarounds
- Temporarily enable soft fail mode in the SSL connector configuration until patches can be applied
- Disable FFM usage by not enabling the --enable-native-access JVM flag if not strictly required
- Implement additional authentication layers (e.g., application-level authentication) for critical resources
- Use network-level access controls to limit exposure of CLIENT_CERT protected endpoints
# Verify current Tomcat version
./catalina.sh version
# Check if FFM is enabled in Java process
jcmd <pid> VM.flags | grep -i "enable-native-access"
# Review SSL connector configuration for clientAuth settings
grep -r "clientAuth" $CATALINA_HOME/conf/server.xml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
