Apache Tomcat
Easy fix4 remedies
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*, +1 more
Easy fix4 remedies
- >= 11.0.0-M1, <= 11.0.14
- >= 10.1.0-M1, <= 10.1.49
- >= 9.0.0-M1, <= 9.0.112
- >= 8.5.0, <= 8.5.100
Apache Tomcat Client Certificate Authentication Bypass Vulnerability via SNI and HTTP Host Header Mismatch
Vulnerability
Patched
A vulnerability allowing clients to bypass client certificate authentication has been identified in Apache Tomcat versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112. This issue arises because Tomcat did not properly validate that the host name in the SNI extension matched the host name in the HTTP host header. In configurations with multiple virtual hosts, if one host's TLS settings did not require client certificates while another did, a client could exploit this mismatch to bypass authentication. This vulnerability is relevant only when client certificate verification is enforced at the Connector level, not at the web application level.
Impact
Exploitation of this vulnerability allows for the bypass of client certificate authentication, potentially leading to unauthorized access or actions that require such authentication.
Remediation
Users should upgrade to Apache Tomcat versions 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later.
Added: Feb 17, 2026, 7:44 PM
Updated: Feb 17, 2026, 7:44 PM
Vulnerability Rating
Custom Algorithm
spread
8.8impact
5.0exploitability
7.6remediation
8.3relevance
3.1threat
0.0urgency
2.9incentive
4.2Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.