Overview
CVE-2026-53434 is a critical-severity vulnerability (CVSS 9.1) in Apache Tomcat discovered and reported by the Apache Software Foundation on June 8, 2026, and published to NVD on June 29, 2026.
The flaw affects the FFM (Foreign Function & Memory / Panama API) based TLS connector — Tomcat's modern OpenSSL integration using Java's Panama FFM API. When this connector is configured with invalid or malformed CRL (Certificate Revocation List) sources, the error is silently logged and execution continues rather than halting. The end result: Tomcat runs with no CRL enforcement whatsoever, accepting client certificates that should have been rejected as revoked.
The vulnerability is classified under CWE-390: Detection of Error Condition Without Action.
Note on severity ratings: NVD assigns a CVSS 9.1 (Critical) score reflecting worst-case impact. Apache's internal security page labels this "Low" — reflecting that exploitation requires a deliberate or accidental misconfiguration of CRL paths, not an unaided remote attack. In practice, misconfigurations in production TLS setups are not uncommon.
Affected Versions
| Branch | Affected Range | Fixed Version |
|---|---|---|
| Apache Tomcat 11.x | 11.0.0-M1 through 11.0.22 | 11.0.23 |
| Apache Tomcat 10.1.x | 10.1.0-M7 through 10.1.55 | 10.1.56 |
| Apache Tomcat 9.x | 9.0.83 through 9.0.118 | 9.0.119 |
Tomcat 8.x and earlier are end-of-life and have not been evaluated.
Technical Root Cause
The FFM connector uses OpenSSLContext.java to load and apply CRL files for client certificate validation. Prior to the fix, two code paths — one for file-based CRLs (crlFile) and one for directory-based CRLs (crlPath) — called log.error() on failure and allowed initialization to continue silently.
The fix replaces both silent error handlers with a hard exception:
// Before (vulnerable):
log.error(sm.getString("openssl.errorLoadingCRL"), e);
// After (fixed):
throw new IllegalArgumentException(sm.getString("openssl.errorLoadingCRL"), e);
The patch changelog states:
"Align OpenSSL/Panama TLS implementation with other implementations and throw an exception if there is an error loading the provided CRL(s)."
This brings the FFM/Panama connector into parity with Tomcat's JSSE and APR/native connectors, which already threw exceptions on CRL load failures.
CVSS v3.1 Vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Network-accessible
- No privileges required, no user interaction
- High confidentiality and integrity impact
- No availability impact
Impact
In environments using mutual TLS (mTLS) with CRL-based certificate revocation:
- A misconfigured, corrupted, or unavailable CRL source causes Tomcat to silently drop all revocation checking
- Clients presenting revoked certificates are accepted as fully authenticated
- This undermines mTLS-based access controls for service-to-service authentication, admin interfaces, and API authorization layers
- No startup error or runtime warning is generated — the misconfiguration is invisible to operators
Remediation
Upgrade (Recommended)
| Branch | Upgrade To |
|---|---|
| Tomcat 11.x | 11.0.23 |
| Tomcat 10.1.x | 10.1.56 |
| Tomcat 9.x | 9.0.119 |
Downloads available at tomcat.apache.org.
Interim Mitigations
If an immediate upgrade is not feasible:
- Validate CRL configuration — confirm all
crlFileandcrlPathvalues in your FFM connector SSL config point to valid, parseable CRL files. Test withopenssl crl -in <file> -noout - Switch TLS connector type — the JSSE connector (Java-native TLS) is not affected by this code path and already throws on invalid CRL config
- Use OCSP instead of CRLs — OCSP stapling/checking uses a separate code path not affected by this vulnerability
Verify Your Connector Type
In server.xml, the FFM connector is identified by:
<Connector protocol="org.apache.coyote.http11.Http11FfmProtocol" ... />If you are using Http11NioProtocol (JSSE) or Http11AprProtocol (APR/native), you are not exposed to this specific issue.
References
- NVD Entry: CVE-2026-53434
- Apache Tomcat 11.x Security Advisories
- Apache Tomcat 10.1.x Security Advisories
- Apache Tomcat 9.x Security Advisories
- CWE-390: Detection of Error Condition Without Action