#VU122999 Improper authorization in Apache Tomcat - CVE-2026-24734
Published: February 17, 2026 / Updated: February 18, 2026
Vulnerability identifier: #VU122999
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-24734
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Tomcat
Apache Tomcat
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incomplete OCSP verification checks. When using an OCSP responder, Tomcat's FFM integration with OpenSSL does not complete verification or freshness checks on the OCSP response. A remote attacker can bypass certificate revocation and gain unauthorized access to the application.
Remediation
Install updates from vendor's website.