HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53434Published Modified CNA apache

CVE-2026-53434: Apache Tomcat: Invalid CRL configuration doesn't trigger failure for FFM Connector

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass vulnerability in Apache Tomcat affecting the FFM (Foreign Function and Memory) connector's handling of Certificate Revocation List (CRL) configuration. When a CRL is configured incorrectly, Tomcat silently ignores the error instead of rejecting the configuration or blocking TLS client connections, meaning revoked certificates are accepted as valid. An attacker over the network, with no credentials required, can authenticate using a certificate that should have been rejected, gaining unauthorized read and write access to protected resources. A patched-image rebuild is available on HarborGuard for environments running affected versions once the upstream fix is confirmed published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle Apache Tomcat. Affected versions spanning the 9.0.x, 10.1.x, and 11.0.x release lines are identified automatically.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL using the CVSS v3.1 vector and surfaces it at the top of the affected-image queue in each customer environment. Per-environment compliance policy weighting is applied before routing findings to the appropriate team inbox inside each customer organization.

Available
Patch

A patched-image rebuild at versions 11.0.23, 10.1.56, or 9.0.119 becomes available on HarborGuard once the upstream release is confirmed and ingested. For customers who opt into auto-remediation, the rebuild is followed by a regression-test run and a pull request opened against affected workloads; where compliance policy permits, this flow runs without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Tomcat FFM connector over the network; the service must be exposed on a routable or internet-facing interface.

  • AuthenticationNot required

    No credentials are needed; the flaw exists precisely in the layer that is supposed to enforce certificate-based authentication, so an attacker with any certificate (including a revoked one) can proceed without a valid identity check.

  • Victim interactionNot required

    No user interaction is required; the attacker connects directly to the Tomcat endpoint and the vulnerability is triggered server-side.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions such as race conditions or precise memory layout.

Blast Radius

  • Reads protected application data and session content served by Tomcat, including anything gated behind mutual TLS client authentication.
  • Modifies or submits data to application endpoints that were intended to be restricted to holders of valid, non-revoked certificates.
  • Bypasses identity-based access controls entirely, allowing a holder of any revoked certificate to impersonate a previously trusted client identity.
  • No availability impact is indicated by the CVSS vector; the service itself remains running while the breach occurs.

How HarborGuard Handles This

Available on HarborGuard: once the upstream releases (11.0.23, 10.1.56, 9.0.119) are ingested, a patched-image rebuild becomes available for every affected image identified in customer registries and pipelines. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the fixed version, runs a regression suite, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Until a rebuild is applied, compensating controls include restricting network access to the FFM connector endpoint via Kubernetes NetworkPolicy or firewall rules, auditing CRL configuration to confirm it is syntactically valid and points to a reachable distribution point, and temporarily switching affected connectors to a non-FFM implementation if one is available in the deployment. HarborGuard re-checks the advisory each ingest cycle and will surface rebuild availability the moment the upstream packages are confirmed published.

See how HarborGuard automates this

Fix available

0
Affected packages
  • Apache Software Foundation / Apache Tomcat
    ≤ 11.0.22 · ≤ 10.1.55 · ≤ 9.0.118
    Fixed in 0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References