CVE-2026-24734 is an improper input validation vulnerability (CWE-20) found in Apache Tomcat Native and Apache Tomcat's FFM port of the native code. The vulnerability specifically involves the handling of Online Certificate Status Protocol (OCSP) responses used to verify the revocation status of TLS certificates. When Tomcat Native or the FFM port receives an OCSP response from an OCSP responder, it fails to perform complete verification or freshness checks on the response. This means that the system may accept stale or tampered OCSP responses, allowing attackers to bypass certificate revocation checks. Consequently, revoked certificates could be accepted as valid, undermining the trust model of TLS connections. The affected versions include Apache Tomcat Native from 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11, as well as Apache Tomcat from 9.0.83 through 9.0.114, 10.1.0-M7 through 10.1.51, and 11.0.0-M1 through 11.0.17. Older EOL versions from 1.1.23 through 1.2.39 are also affected. The vulnerability has a CVSS v3.1 base score of 7.4, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, and high impact on confidentiality and integrity but no impact on availability. No known exploits are currently reported in the wild. The recommended mitigation is to upgrade Apache Tomcat Native to versions 1.3.5 or later, 2.0.12 or later, and Apache Tomcat to versions 9.0.115 or later, 10.1.52 or later, or 11.0.18 or later, which contain fixes for this issue.

This vulnerability undermines the security of TLS connections by allowing attackers to bypass certificate revocation checks. The primary impact is on confidentiality and integrity, as attackers could present revoked certificates to intercept or manipulate encrypted communications without detection. This could facilitate man-in-the-middle (MITM) attacks, data interception, or unauthorized access to sensitive information. Since Apache Tomcat is widely used as a web server and servlet container in enterprise environments, this flaw could affect numerous organizations globally, especially those relying on OCSP for certificate validation. The lack of availability impact means services remain operational, but the trustworthiness of secure communications is compromised. The attack complexity is high, requiring network access but no authentication or user interaction, making it feasible for remote attackers to exploit. The scope is limited to systems using vulnerable versions of Apache Tomcat Native or Apache Tomcat with OCSP enabled. Organizations that do not promptly patch may face increased risk of data breaches, regulatory non-compliance, and reputational damage.

To mitigate this vulnerability, organizations should immediately upgrade affected Apache Tomcat Native versions to 1.3.5 or later, or 2.0.12 or later, and Apache Tomcat versions to 9.0.115 or later, 10.1.52 or later, or 11.0.18 or later. Beyond upgrading, administrators should verify that OCSP validation is properly configured and enabled, ensuring that freshness checks and full verification of OCSP responses are enforced. Implementing strict TLS configurations, including enabling OCSP stapling and monitoring OCSP responder availability, can further reduce risk. Network-level protections such as firewall rules restricting access to trusted OCSP responders and intrusion detection systems tuned to detect anomalous TLS certificate behavior are recommended. Regularly auditing TLS certificate validation logs for anomalies can help detect exploitation attempts. Organizations should also review their certificate management policies to ensure revoked certificates are promptly replaced and that fallback mechanisms do not bypass OCSP checks. Finally, maintaining an up-to-date inventory of affected systems and applying security patches as part of a robust vulnerability management program is critical.