CVE-2026-24734

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.<br /> <br /> When using an OCSP responder, Tomcat Native (and Tomcat&amp;#39;s FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.<br /> <br /> This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.<br /> <br /> <br /> The following versions were EOL at the time the CVE was created but are <br /> known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.<br /> <br /> Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.<br /> <br /> Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.