Apache HTTP Server: Highly critical flaws allow malicious code injection

In Apache HTTP Server 2.4.67, developers are patching several security vulnerabilities, some of which allow the injection of malicious code.

(Image: heise medien)

at 4:11 pm CEST

2 min. read

Security

By

Dirk Knop

Several security vulnerabilities have been discovered in the popular Apache HTTP Server, several of which have been classified as highly critical. They allow attackers to inject and execute malicious code, among other things. The updated version addresses the vulnerabilities.

On Monday of this week, the Apache HTTP Server Project released version 2.4.67 of the web server. According to the project's listing, it closes eleven security vulnerabilities. Five of these are considered highly critical, with two narrowly missing a classification as “critical” risk.

Five highly critical vulnerabilities

The individual vulnerabilities sorted by severity:

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol (CVE-2026-23918, CVSS 8.8, Risk “high”)
Escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier (CVE-2026-24072, CVSS 8.8, Risk “high”)
A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier (CVE-2026-29169, CVSS 7.5, Risk “high”)
Buffer Over-read vulnerability in Apache HTTP Server (CVE-2026-34059, CVSS 7.5, Risk “high”)
Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md (CVE-2026-29168, CVSS 7.3, Risk “high”)
HTTP response splitting vulnerability in multiple Apache HTTP Server modules (CVE-2026-33523, CVSS 6.5, Risk “medium”)
A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier (CVE-2026-33007, CVSS 5.3, Risk “medium”)
Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server (CVE-2026-34032, CVSS 5.3, Risk “medium”)
Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server (CVE-2026-33857, CVSS 5.3, Risk “medium”)
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 (CVE-2026-33006, CVSS 4.8, Risk “medium”)
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server (CVE-2026-28780, CVSS value not yet available)

IT managers running Apache HTTP servers should update the software to the new version promptly.

Videos by heise

Projects under the Apache umbrella are popular targets for cybercriminals. In mid-April, malicious actors attacked security vulnerabilities in Apache ActiveMQ Broker and ActiveMQ.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle bestenlisten

Top 5: Das beste Gehäuse für M.2-SSD im Test – externe Festplatte im Selbstbau

Top 10: Der beste Mähroboter im Test

Top 10: Der beste Smart Ring im Test – Oura, Galaxy Ring & Alternativen ohne Abo

Alle Angebote

Newsletter heise-Bot Push Push-Nachrichten

${intro} ${title}