Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-53434: Critical Apache Tomcat CRL Configuration Flaw (CVSS 9.1)
CVE-2026-53434: Critical Apache Tomcat CRL Configuration Flaw (CVSS 9.1)

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-53434

CVE-2026-53434: Critical Apache Tomcat CRL Configuration Flaw (CVSS 9.1)

A critical vulnerability in Apache Tomcat's FFM/Panama TLS connector silently ignores invalid or malformed CRL configurations, causing the server to...

Dylan H.

Security Team

June 30, 2026
4 min read

Affected Products

  • Apache Tomcat 9.0.83–9.0.118, 10.1.0-M7–10.1.55, 11.0.0-M1–11.0.22

Overview

CVE-2026-53434 is a critical-severity vulnerability (CVSS 9.1) in Apache Tomcat discovered and reported by the Apache Software Foundation on June 8, 2026, and published to NVD on June 29, 2026.

The flaw affects the FFM (Foreign Function & Memory / Panama API) based TLS connector — Tomcat's modern OpenSSL integration using Java's Panama FFM API. When this connector is configured with invalid or malformed CRL (Certificate Revocation List) sources, the error is silently logged and execution continues rather than halting. The end result: Tomcat runs with no CRL enforcement whatsoever, accepting client certificates that should have been rejected as revoked.

The vulnerability is classified under CWE-390: Detection of Error Condition Without Action.

Note on severity ratings: NVD assigns a CVSS 9.1 (Critical) score reflecting worst-case impact. Apache's internal security page labels this "Low" — reflecting that exploitation requires a deliberate or accidental misconfiguration of CRL paths, not an unaided remote attack. In practice, misconfigurations in production TLS setups are not uncommon.

Affected Versions

BranchAffected RangeFixed Version
Apache Tomcat 11.x11.0.0-M1 through 11.0.2211.0.23
Apache Tomcat 10.1.x10.1.0-M7 through 10.1.5510.1.56
Apache Tomcat 9.x9.0.83 through 9.0.1189.0.119

Tomcat 8.x and earlier are end-of-life and have not been evaluated.

Technical Root Cause

The FFM connector uses OpenSSLContext.java to load and apply CRL files for client certificate validation. Prior to the fix, two code paths — one for file-based CRLs (crlFile) and one for directory-based CRLs (crlPath) — called log.error() on failure and allowed initialization to continue silently.

The fix replaces both silent error handlers with a hard exception:

// Before (vulnerable):
log.error(sm.getString("openssl.errorLoadingCRL"), e);
// After (fixed):
throw new IllegalArgumentException(sm.getString("openssl.errorLoadingCRL"), e);

The patch changelog states:

"Align OpenSSL/Panama TLS implementation with other implementations and throw an exception if there is an error loading the provided CRL(s)."

This brings the FFM/Panama connector into parity with Tomcat's JSSE and APR/native connectors, which already threw exceptions on CRL load failures.

CVSS v3.1 Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

  • Network-accessible
  • No privileges required, no user interaction
  • High confidentiality and integrity impact
  • No availability impact

Impact

In environments using mutual TLS (mTLS) with CRL-based certificate revocation:

  • A misconfigured, corrupted, or unavailable CRL source causes Tomcat to silently drop all revocation checking
  • Clients presenting revoked certificates are accepted as fully authenticated
  • This undermines mTLS-based access controls for service-to-service authentication, admin interfaces, and API authorization layers
  • No startup error or runtime warning is generated — the misconfiguration is invisible to operators

Remediation

Upgrade (Recommended)

BranchUpgrade To
Tomcat 11.x11.0.23
Tomcat 10.1.x10.1.56
Tomcat 9.x9.0.119

Downloads available at tomcat.apache.org.

Interim Mitigations

If an immediate upgrade is not feasible:

  1. Validate CRL configuration — confirm all crlFile and crlPath values in your FFM connector SSL config point to valid, parseable CRL files. Test with openssl crl -in <file> -noout
  2. Switch TLS connector type — the JSSE connector (Java-native TLS) is not affected by this code path and already throws on invalid CRL config
  3. Use OCSP instead of CRLs — OCSP stapling/checking uses a separate code path not affected by this vulnerability

Verify Your Connector Type

In server.xml, the FFM connector is identified by:

<Connector protocol="org.apache.coyote.http11.Http11FfmProtocol" ... />

If you are using Http11NioProtocol (JSSE) or Http11AprProtocol (APR/native), you are not exposed to this specific issue.

References

  • NVD Entry: CVE-2026-53434
  • Apache Tomcat 11.x Security Advisories
  • Apache Tomcat 10.1.x Security Advisories
  • Apache Tomcat 9.x Security Advisories
  • CWE-390: Detection of Error Condition Without Action
#Apache Tomcat#CVE#TLS#Certificate Revocation#Vulnerability

Related Articles

CVE-2026-13019: Esri ArcGIS Portal Critical Unauthenticated API Access

A critical missing authentication vulnerability in Esri Portal for ArcGIS 12.1 and earlier allows remote unauthenticated attackers to access protected API endpoints across Windows, Linux, and Kubernetes deployments.

3 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read
Back to all Security Alerts