CVE-2026-24734 identifies a critical improper input validation vulnerability (CWE-20) in the Apache Tomcat Native library and Apache Tomcat server software, specifically in the handling of Online Certificate Status Protocol (OCSP) responses. OCSP is used to verify the revocation status of X.509 digital certificates in TLS communications. The vulnerability occurs because Tomcat Native and the FFM port of Tomcat Native code do not fully verify the OCSP response or check its freshness, meaning the server may accept stale or tampered OCSP responses. This flaw effectively allows attackers to bypass certificate revocation checks, enabling the acceptance of revoked certificates. Such a bypass can facilitate man-in-the-middle (MITM) attacks, where an attacker uses a revoked certificate to impersonate a legitimate server or intercept encrypted communications. The affected versions span Apache Tomcat Native from 1.3.0 through 1.3.4 and 2.0.0 through 2.0.11, and Apache Tomcat from 9.0.83 through 9.0.114, 10.1.0-M7 through 10.1.51, and 11.0.0-M1 through 11.0.17. Older EOL versions from 1.1.23 through 1.2.39 are also affected. No CVSS score has been assigned yet, and no exploits have been observed in the wild. The Apache Software Foundation recommends upgrading to versions 1.3.5 or later, 2.0.12 or later for Tomcat Native, and 9.0.115, 10.1.52, or 11.0.18 or later for Apache Tomcat to remediate the issue. This vulnerability undermines the integrity and confidentiality of TLS sessions relying on OCSP, posing a significant security risk for environments using affected versions without patching.

For European organizations, this vulnerability poses a significant risk to secure communications that rely on Apache Tomcat and Tomcat Native for web services and applications. Since OCSP is a widely used protocol for certificate revocation checking, bypassing these checks can allow attackers to present revoked certificates as valid, facilitating man-in-the-middle attacks, data interception, and impersonation of trusted services. This can lead to unauthorized data access, leakage of sensitive information, and compromise of user trust. Sectors such as finance, healthcare, government, and critical infrastructure that rely heavily on secure TLS communications are particularly at risk. The impact is exacerbated in environments where certificate revocation is a critical part of the security posture. Additionally, since Apache Tomcat is a popular Java servlet container used extensively across Europe, the scope of affected systems is broad. The absence of known exploits in the wild suggests a window for proactive mitigation, but the potential impact on confidentiality and integrity is high if exploited.

European organizations should immediately inventory their use of Apache Tomcat and Tomcat Native to identify affected versions. They must prioritize upgrading to the fixed versions: Apache Tomcat Native 1.3.5 or later, 2.0.12 or later, and Apache Tomcat 9.0.115, 10.1.52, or 11.0.18 or later. Where immediate upgrades are not feasible, organizations should consider disabling OCSP validation temporarily or implementing alternative certificate revocation checking mechanisms such as CRL (Certificate Revocation Lists), though this may reduce security effectiveness. Network-level controls such as strict TLS inspection and monitoring for anomalous certificate usage can help detect exploitation attempts. Additionally, organizations should review their TLS configurations to ensure OCSP stapling is correctly implemented and monitored. Regular security audits and penetration testing focusing on TLS and certificate validation processes are recommended. Finally, organizations should maintain awareness of any emerging exploit reports and apply patches promptly.