Security Advisory: DocuShare Not Affected by CVE-2026-34500
| Verdict: DocuShare 7.5, 7.6, 7.7, and 8.0 are NOT affected by CVE-2026-34500 in standard deployments. No action is required. |
Issue Summary
CVE-2026-34500 is an Apache Tomcat vulnerability reported. If your organization is performing a security assessment or responding to vulnerability scanner findings, this article explains whether this CVE affects DocuShare.
DocuShare bundles Apache Tomcat as its embedded web application server. Xerox has investigated the impact of this CVE against DocuShare 7.5, 7.6, 7.7, and 8.0.
The CVE describes a condition where CLIENT_CERT authentication does not fail as expected for some scenarios when soft-fail is disabled and the FFM-based OpenSSL TLS implementation is used. This article explains whether that issue affects DocuShare.
| Note: The CVE analysis in this article applies to DocuShare installations running Apache Tomcat 9.0.106. Depending on your DocuShare version, a Tomcat patch may need to have been applied to reach Tomcat 9.0.106. See the 'Apache Tomcat Version Reference' section for details. |
Vulnerability Summary
The table below summarizes the CVE, the Tomcat versions it affects, the trigger conditions, and whether DocuShare is impacted:
| CVE | Affected Tomcat Versions | Trigger Condition | Affects DocuShare? |
| CVE-2026-34500 | 9.0.92 - 9.0.116 (also 10.1.22 - 10.1.53 and 11.0.0-M14 - 11.0.20) | Connector-level CLIENT_CERT auth in use, soft-fail disabled, and FFM-based OpenSSL TLS implementation active | No |
| DocuShare 7.5 / 7.6 / 7.7 / 8.0 | Tomcat 9.0.106 (after Tomcat patch) | FFM-based OpenSSL TLS implementation is not configured or loaded in DocuShare | Not Affected |
CVE Analysis
CVE-2026-34500 - Apache Tomcat: OCSP Checks Sometimes Soft-Fail with FFM Even When Soft-Fail Is Disabled
https://nvd.nist.gov/vuln/detail/CVE-2026-34500
Apache Tomcat lists CVE-2026-34500 as affecting versions 9.0.92 through 9.0.116 on the 9.x branch and fixing the issue in 9.0.117. On version range alone, Tomcat 9.0.106 falls within the published affected range.
However, both the Apache Tomcat advisory and the Xerox engineering analysis show that the vulnerability is only reachable when all of the following are true at runtime:
1. Connector-level CLIENT_CERT authentication is enabled.
2. Soft-fail is disabled.
3. The FFM-based (Foreign Function and Memory) OpenSSL TLS implementation is the active SSL implementation on the connector.
The Xerox engineering analysis states that the FFM-based OpenSSL implementation is neither configured nor loaded in a DocuShare deployment. Because that runtime prerequisite is absent, the vulnerable code path cannot be reached in DocuShare.
| CVE-2026-34500: Not applicable to DocuShare. No action required. |
Apache Tomcat Version Reference
The analysis in this article is based on Apache Tomcat 9.0.106, which is the version in use on a fully patched DocuShare installation. Older DocuShare versions ship with an earlier Tomcat build and require the applicable Tomcat patch to reach version 9.0.106. The Tomcat patch is available from the DocuShare support portal for each supported release.
| DocuShare Version | Tomcat Version (after Tomcat patch) |
| DocuShare 7.5 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.6 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 7.7 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| DocuShare 8.0 | Apache Tomcat 9.0.106 (requires Tomcat patch) |
| Note: If you have not yet applied the Tomcat patch for your DocuShare version, it is recommended to do so as part of general maintenance. Contact Xerox DocuShare Support for the appropriate patch for your version. |
Vulnerability Scanner Findings
If your organization's vulnerability scanner reports CVE-2026-34500 based only on the Tomcat version string, this article can be used as supporting documentation to demonstrate that DocuShare is not at risk.
Key points for scanner remediation workflows:
CVE-2026-34500 is not triggered by version alone.
The vulnerable code path requires the FFM-based OpenSSL TLS implementation.
That implementation is not configured or loaded in DocuShare.
Xerox engineering analysis determined that DocuShare is not vulnerable.
Conclusion
Xerox DocuShare has reviewed CVE-2026-34500 and confirmed that DocuShare 7.5, 7.6, 7.7, and 8.0 are not affected in standard deployments. No patches, configuration changes, or workarounds are required for DocuShare in response to this CVE.