Apache Tomcat Security Update Advisory

overview

We have released a security update that addresses a vulnerability in Apache Tomcat. users of affected products are encouraged to update to the latest version.

affected products

CVE-2025-66614

Apache Tomcat Versions: 11.0.0-M1 or later and 11.0.14 or earlier
Apache Tomcat Versions: 10.1.0-M1 or later and 10.1.49 or earlier
Apache Tomcat Versions: 9.0.0.M1 and later to 9.0.112

CVE-2026-24734

Apache Tomcat Native version: 2.0.0 or later 2.0.11 or earlier
Apache Tomcat Native Version: 1.3.0 or later and 1.3.4 or earlier
Apache Tomcat Version: 11.0.0-M1 or later and 11.0.17 or later
Apache Tomcat Version: 10.1.0-M7 or later and 10.1.51 or later
Apache Tomcat version: 9.0.83 or later and 9.0.114 or earlier

resolved vulnerabilities

Client certificate validation bypass vulnerability in Apache Tomcat (CVE-2025-66614)
OCSP certificate revocation validation bypass vulnerability in Apache Tomcat and Tomcat Native (CVE-2026-24734)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2025-66614

Apache Tomcat version: 11.0.15 or later
Apache Tomcat version: 10.1.50 or later
Apache Tomcat Version: 9.0.113 or later

CVE-2026-24734

Apache Tomcat Native version: 2.0.12 or later
Apache Tomcat Native Version: 1.3.5 or later
Apache Tomcat Version: 11.0.18 or later
Apache Tomcat Version: 10.1.52 or later
Apache Tomcat Version: 9.0.115 or later

references

[1] CVE-2025-66614 Apache Tomcat – Client certificate verification bypass due to virtual host mapping
https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
[2] CVE-2026-24734 Apache Tomcat and Tomcat Native – OCSP revocation bypass
https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml