VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8war-4v58-eub2

Essentials
Severities (19)
References (11)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8war-4v58-eub2
Aliases	CVE-2026-24734 GHSA-mgp5-rv84-w37q
Summary	Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-295	Improper Certificate Validation

System	Score	Found at
cvssv3	7.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24734.json
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
epss	0.00109	https://api.first.org/data/v1/epss?cve=CVE-2026-24734
apache_tomcat	Moderate	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734
cvssv3.1	6.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-mgp5-rv84-w37q
cvssv3.1	7.5	https://github.com/apache/tomcat
generic_textual	HIGH	https://github.com/apache/tomcat
cvssv3.1	7.4	https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
cvssv3.1	7.5	https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
generic_textual	HIGH	https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
ssvc	Track	https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2026-24734
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-24734

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24734.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-24734
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
		https://nvd.nist.gov/vuln/detail/CVE-2026-24734
2440426		https://bugzilla.redhat.com/show_bug.cgi?id=2440426
CVE-2026-24734		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24734
GHSA-mgp5-rv84-w37q		https://github.com/advisories/GHSA-mgp5-rv84-w37q
RHSA-2026:5611		https://access.redhat.com/errata/RHSA-2026:5611
RHSA-2026:5612		https://access.redhat.com/errata/RHSA-2026:5612

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24734.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-21T21:16:49Z/ Found at https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-24734

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.29315
EPSS Score	0.00109
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:38:03.463011+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-11.html	38.0.0