Is org.apache.tomcat:tomcat-coyote-ffm affected by CVE-2026-29145?

Maven org.apache.tomcat:tomcat-coyote-ffm is affected in >=9.0.83 =10.1.0-M7 =11.0.0-M1 <11.0.20.

Is CVE-2026-29145 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.7%.

critical

CVE-2026-29145

Q: Is CVE-2026-29145 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.7%.

Maven · org.apache.tomcat:tomcat-coyote-ffm • Maven · org.apache.tomcat:tomcat

Summary

Apache Tomcat: CLIENT_CERT authentication does not fail as expected

Severity: critical
EPSS: 0.7% (p47)
Also known as: GHSA-95jq-rwvf-vjx4#org.apache.tomcat:tomcat, GHSA-95jq-rwvf-vjx4#org.apache.tomcat:tomcat-coyote-ffm, BIT-tomcat-2026-29145
Published: 2026-04-09

References

https://nvd.nist.gov/vuln/detail/CVE-2026-29145
https://github.com/apache/tomcat/commit/721591f7bff424c693f26adc18ae9b9abac3655b
https://github.com/apache/tomcat/commit/d1406df5ae0326f39f54c3f64ac30d8fca55cd5b

Related advisories

CVE-2026-34500 — medium · Maven/org.apache.tomcat:tomcat-coyote-ffm

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.