| Verdict: DocuShare 7.5, 7.6, 7.7, and 8.0 are NOT affected by CVE-2026-24880, CVE-2026-29129, or CVE-2026-29145. No action is required. |
Issue Summary
Three security vulnerabilities affecting Apache Tomcat were reported in early 2026 (CVE-2026-24880, CVE-2026-29129, and CVE-2026-29145). If your organization is performing a security assessment or responding to vulnerability scanner findings, this article explains whether these CVEs affect DocuShare.
DocuShare bundles Apache Tomcat as its embedded web application server. Xerox has investigated the impact of all three CVEs against DocuShare 7.5, 7.6, 7.7, and 8.0.
| Note: The CVE analysis in this article applies to DocuShare installations running Apache Tomcat 9.0.106. Depending on your DocuShare version, a Tomcat patch may need to have been applied to reach Tomcat 9.0.106. See the 'Apache Tomcat Version Reference' section for details. |
Vulnerability Summary
The table below summarizes each CVE, the Tomcat versions it affects, and whether DocuShare is impacted:
| CVE | Affected Tomcat Versions | Trigger Condition | Affects DocuShare? |
| CVE-2026-24880 | 9.0.0.M1 - 9.0.115 (also 8.5.x, 10.1.x, 11.0.x) | Reverse proxy in front of Tomcat permitting CRLF in HTTP/1.1 chunk extensions | No |
| CVE-2026-29129 | 9.0.114 - 9.0.115 only (also 10.1.51-52, 11.0.16-18) | TLS 1.3 cipher suite configuration with explicit ordering | No |
| CVE-2026-29145 | 9.0.83 - 9.0.115 (also 10.1.x, 11.0.x) | CLIENT_CERT authentication + OCSP revocation checking + OCSP soft-fail disabled | No |
| DocuShare 7.5 / 7.6 / 7.7 / 8.0 | Tomcat 9.0.106 (after Tomcat patch) | Does not use reverse proxy, CLIENT_CERT auth, or OCSP | Not Affected |
CVE Analysis
CVE-2026-24880 - Apache Tomcat: HTTP Request Smuggling via CRLF Injection
https://nvd.nist.gov/vuln/detail/CVE-2026-24880
CVE-2026-24880 enables HTTP request smuggling when a reverse proxy in front of Tomcat permits CRLF (carriage return / line feed) sequences inside HTTP/1.1 chunk extensions. The affected Tomcat version range on the 9.x branch is 9.0.0.M1 through 9.0.115.
Tomcat 9.0.106 (the version used by DocuShare after applying the applicable Tomcat patch) falls within the affected version range. However, the vulnerability requires a specific reverse proxy configuration that is not part of any DocuShare deployment:
- DocuShare ships Tomcat as the front-end HTTP server. No reverse proxy is bundled with or required by DocuShare.
- The vulnerable code path — handling of CRLF sequences passed through a reverse proxy into Tomcat — is not reachable in a standard DocuShare installation.
| CVE-2026-24880: Not applicable to DocuShare. No action required. |
CVE-2026-29129 - Apache Tomcat: TLS 1.3 Cipher Suite Configuration Issue
https://nvd.nist.gov/vuln/detail/CVE-2026-29129
CVE-2026-29129 affects only Apache Tomcat versions 9.0.114 and 9.0.115 on the 9.x branch (also 10.1.51-10.1.52 and 11.0.16-11.0.18). The vulnerability relates to TLS 1.3 cipher suite configuration with explicit ordering.
DocuShare is not affected for a straightforward version range reason:
- DocuShare bundles Tomcat 9.0.106, which is earlier than the first affected version 9.0.114. The vulnerability was introduced in 9.0.114 and does not exist in 9.0.106.
- DocuShare 9.0.106 is entirely outside the affected version range for this CVE.
| CVE-2026-29129: Not applicable to DocuShare. No action required. |
CVE-2026-29145 - Apache Tomcat: OCSP Certificate Revocation Check Bypass
https://nvd.nist.gov/vuln/detail/CVE-2026-29145
CVE-2026-29145 affects Apache Tomcat versions 9.0.83 through 9.0.115, 10.1.0-M7 through 10.1.52, and 11.0.0-M1 through 11.0.18. The vulnerability is triggered only when all three of the following conditions are simultaneously present in the Tomcat configuration:
- TLS client certificate authentication (clientAuth) is enabled.
- OCSP (Online Certificate Status Protocol) revocation checking is enabled.
- OCSP soft-fail is disabled (meaning Tomcat must receive a valid OCSP response).
Tomcat 9.0.106 falls within the affected version range. However, none of the required trigger conditions are present in a DocuShare installation:
- All DocuShare server*.xml configuration files ship with clientAuth="false". TLS client certificate authentication is not enabled.
- DocuShare does not configure OCSP revocation checking. The vulnerable code path is therefore never executed.
| CVE-2026-29145: Not applicable to DocuShare. No action required. |
Apache Tomcat Version Reference
The CVE analysis in this article is based on Apache Tomcat 9.0.106, which is the version in use on a fully patched DocuShare installation. Older DocuShare versions ship with an earlier Tomcat build and require a Tomcat patch to be applied to reach version 9.0.106. The Tomcat patch is available from the DocuShare support portal for each supported release.
| DocuShare Version | Tomcat Version (after Tomcat patch) |
| DocuShare 7.5 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.6 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.7 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 8.0 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| Note: If you have not yet applied the Tomcat patch for your DocuShare version, it is recommended to do so as part of general maintenance. Contact Xerox DocuShare Support for the appropriate patch for your version. |
Vulnerability Scanner Findings
If your organization's vulnerability scanner reports CVE-2026-24880, CVE-2026-29129, or CVE-2026-29145 based on the Tomcat version string alone — without evaluating the required trigger conditions — this article can be used as supporting documentation to demonstrate that DocuShare is not at risk.
Key points for scanner remediation workflows:
- CVE-2026-24880 requires a reverse proxy in front of Tomcat that passes CRLF sequences in chunk extensions. DocuShare does not use a reverse proxy in its standard deployment.
- CVE-2026-29129 requires Tomcat 9.0.114 or 9.0.115. DocuShare ships Tomcat 9.0.106, which is outside the affected version range entirely.
- CVE-2026-29145 requires both CLIENT_CERT authentication and OCSP revocation checking to be enabled. Neither is configured in DocuShare's default or standard deployment.
Conclusion
Xerox DocuShare has reviewed CVE-2026-24880, CVE-2026-29129, and CVE-2026-29145 and confirmed that DocuShare 7.5, 7.6, 7.7, and 8.0 are not affected by any of them. No patches, configuration changes, or workarounds are required for DocuShare in response to these CVEs.