Apache HTTP Server 2.4.68 fixes 13 flaws across HTTP/2, proxy, SSL, LDAP, and WebDAV
The Apache Software Foundation released Apache HTTP Server 2.4.68 to patch 13 vulnerabilities affecting versions prior to 2.4.68, with many issues spanning 2.4.0 through 2.4.67. The flaws span multiple modules, including mod_http2, mod_proxy_ftp, mod_proxy_html, mod_ssl, mod_ldap, mod_dav_fs, mod_xml2enc, and mod_headers, and include use-after-free, heap and buffer overflows, out-of-bounds reads, denial-of-service conditions, cross-site scripting, privilege-escalation and path-handling weaknesses. Apache and national defenders, including Canada’s Cyber Centre, urged administrators to review the advisory and upgrade because workarounds are unavailable for most of the issues.
Notable CVEs include CVE-2026-49975, a mod_http2 denial-of-service bug triggered by excessive size values in malicious HTTP/2 requests; CVE-2026-48913, a mod_http2 memory-corruption issue when file handles are exhausted; CVE-2026-34355 and CVE-2026-34356, buffer-overflow flaws tied to untrusted backend systems in mod_proxy_html and ProxyPassReverseCookie*; CVE-2026-44631, a heap underflow in ap_regname caused by crafted regular expressions; CVE-2026-29167, a mod_ldap per-directory use-after-free; CVE-2026-29170 and CVE-2026-44186 in mod_proxy_ftp; CVE-2026-44185 in mod_ssl OCSP handling; and CVE-2026-42535 in mod_dav_fs. The release also ships non-security changes such as OpenSSL 4.0 support and mod_http2 updates, but the immediate priority for exposed environments is upgrading all Apache HTTP Server deployments to 2.4.68.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Apache releases HTTP Server 2.4.68 with security fixes
Apache released HTTP Server 2.4.68 on June 8, 2026 to fix 13 vulnerabilities affecting multiple modules, including mod_http2, mod_ssl, mod_proxy_ftp, mod_dav_fs, mod_ldap, mod_xml2enc, mod_headers, and mod_proxy_html. Apache advised users running earlier versions to upgrade to remediate the issues.
Debian publishes apache2 security update DSA-6323-1
Debian published security advisory DSA-6323-1 for apache2. The reference indicates a product security update was issued, though no synopsis details are provided in the source content.
Apache fixes six vulnerabilities in the 2.4.x branch
Apache committed fixes on June 5, 2026 for CVE-2026-34356, CVE-2026-42535, CVE-2026-43951, CVE-2026-44186, and CVE-2026-44631 in the 2.4.x branch. These changes addressed flaws in proxy cookie rewriting, WebDAV path handling, header merging, mod_proxy_ftp looping, and ap_regname heap underflow.
Apache fixes four vulnerabilities in the 2.4.x branch
Apache committed fixes on June 4, 2026 for CVE-2026-34355, CVE-2026-29170, CVE-2026-42536, and CVE-2026-42536's related code revision r1934971. The changes addressed mod_proxy_html overflow, mod_proxy_ftp XSS, and mod_xml2enc heap overflow issues.
Apache fixes two vulnerabilities in the 2.4.x branch
Apache fixed CVE-2026-48913 in revision r1934882 and CVE-2026-44185 in revision r1934919 in the 2.4.x branch. These addressed a mod_http2 memory-corruption issue and a mod_ssl stack buffer over-read.
Apache incorporates CVE-2026-49975 fix into 2.4.x
Apache incorporated the previously upstreamed fix for CVE-2026-49975 into the 2.4.x branch. This prepared the HTTP/2 denial-of-service fix for inclusion in the next HTTP Server release.
mod_http2 DoS fix lands upstream
The fix for CVE-2026-49975 was applied upstream in mod_h2. Apache later incorporated that change into the 2.4.x branch before the public release.
Apache receives report for CVE-2026-49975 HTTP/2 DoS
Apache received a report for CVE-2026-49975, a denial-of-service issue caused by excessive size values in the HTTP/2 component. The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.67.
Apache receives report for CVE-2026-48913 mod_http2 corruption
Apache received a report for CVE-2026-48913, a mod_http2 vulnerability that can lead to memory corruption when file handles are exhausted. Apache HTTP Server versions 2.4.55 through 2.4.67 are affected.
Apache receives reports for six April 27 vulnerabilities
Apache received reports on April 27, 2026 for CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44185, CVE-2026-44186, and CVE-2026-44631. These issues span mod_dav_fs, mod_xml2enc, mod_headers, mod_ssl, mod_proxy_ftp, and ap_regname, affecting versions through 2.4.67.
Apache receives report for CVE-2026-34355 mod_proxy_html overflow
Apache received a report for CVE-2026-34355, a buffer overflow vulnerability in mod_proxy_html that can be triggered by an untrusted backend. The issue affects Apache HTTP Server versions 2.4.0 through 2.4.67.
Apache receives report for CVE-2026-29170 mod_proxy_ftp XSS
Apache received a report for CVE-2026-29170, a cross-site scripting flaw in mod_proxy_ftp affecting HTML directory list generation for FTP directory contents. Apache HTTP Server 2.4.67 and earlier are affected.
Apache receives report for CVE-2026-29167 mod_ldap use-after-free
Apache received a report for CVE-2026-29167, a use-after-free vulnerability in mod_ldap when used in per-directory configuration. Apache HTTP Server versions 2.4.0 through 2.4.67 are affected.
Apache receives report for CVE-2026-34356 buffer overflow
Apache received a report for CVE-2026-34356, a heap-based buffer overflow involving ProxyPassReverseCookie* when interacting with malicious backend servers. The flaw affects Apache HTTP Server versions 2.4.0 through 2.4.67.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
21 references tracked. Mallory keeps watching after this page renders.
Apache security advisory (AV26-563) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceApache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws
cybersecuritynews.com
Open sourceApache HTTP Server Patches: Buffer Overflow Vulnerabilities
securityonline.info
Open sourceCVE-2026-44631 - Apache HTTP Server: Heap Underflow in `ap_regname` via Signed Char Overflow
cvefeed.io
Open sourceoss-sec: CVE-2026-29170: Apache HTTP Server: mod_proxy_ftp XSS
seclists.org
Open sourceoss-sec: CVE-2026-29167: Apache HTTP Server: mod_ldap per-dir use-after-free
seclists.org
Open sourceoss-sec: CVE-2026-34356: Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow
seclists.org
Open source[no-title]
downloads.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache HTTP Server fixes HTTP/2 double-free flaw with possible RCE
The Apache Software Foundation released **Apache HTTP Server 2.4.67** to fix five vulnerabilities, led by **`CVE-2026-23918`**, an important- to high-severity flaw in the HTTP/2 implementation. Apache said the bug is a **double free** triggered by an early reset that could lead to **remote code execution**, and that it affects **version 2.4.66**. The issue was reported in December 2025 and fixed shortly afterward, with public disclosure following on the `oss-sec` mailing list; Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl were credited with finding it. The 2.4.67 release also patches **`CVE-2026-24072`** in `mod_rewrite`, which can allow local `.htaccess` authors to read arbitrary files as the `httpd` user, along with lower-severity issues in `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. Apache and downstream reporting urged organizations running **2.4.66 or earlier** to upgrade immediately, while temporary mitigations for environments that cannot patch at once include disabling **HTTP/2**, removing `mod_dav_lock`, and reviewing `.htaccess` permissions.
May 8, 2026
Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed **CVE-2026-23918**, a high-severity double-free flaw in `mod_http2` affecting version `2.4.66`, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same `h2_stream` object being queued twice for cleanup, causing a second `apr_pool_destroy` on freed memory; on multi-threaded MPM deployments such as **event** and **worker**, this can reliably crash worker processes without authentication, while **prefork** is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution. Apache fixed the issue in **version 2.4.67** by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling **HTTP/2** where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. At the time of publication, sources said there was **no confirmed in-the-wild exploitation**, but warned that Apache HTTP Server's broad deployment and common `mod_http2` enablement make internet-facing systems attractive targets.
Jun 10, 2026
Apache CXF Patches LDAP Injection, XXE, and Incomplete-Fix RCE Flaws
The Apache Software Foundation released security updates for **Apache CXF** to fix three newly disclosed vulnerabilities affecting enterprise deployments of the services framework. The flaws include **`CVE-2026-44930`**, an LDAP injection issue in the XKMS LDAP certificate repository that can let attackers manipulate backend search filters and retrieve arbitrary digital certificates, potentially enabling impersonation, interception of encrypted communications, and lateral movement. Apache also addressed an **XXE** flaw in WS-Transfer caused by insecure XML parser configuration, which could expose sensitive files and support internal network mapping, as well as a possible **remote code execution** condition tied to an incomplete fix for an older JMS-related bug. Affected releases include **4.2.0**, **4.0.0 through 4.1.5**, and older branches before **3.6.11**. Apache published patched versions **4.2.1**, **4.1.6**, and **3.6.11**, and guidance urges organizations to upgrade immediately, review LDAP access controls, monitor certificate access activity, and reduce exposure of XKMS components where possible. The disclosures indicate that while the LDAP flaw does not itself provide code execution, the combined set of weaknesses could materially affect trust infrastructure and server security in vulnerable environments.
May 26, 2026