Latest Apache HTTP Server vulnerability: CVE-2026-23918 #
Apache disclosed that certain versions of Apache HTTP Server are affected by a double free vulnerability that may lead to remote code execution (RCE). This flaw occurs within the HTTP/2 protocol implementation when a stream undergoes an "early reset." While further technical details are not publicly available at this time, the vulnerability involves a memory management error triggered during specific HTTP/2 communication sequences. The vulnerability, designated CVE-2026-23918, is rated high with a base CVSS score of 8.8.
The following versions are affected
- Apache HTTP Server: Version 2.4.66
What is Apache HTTP Server? #
Apache HTTP Server is an open-source, cross-platform application that serves web content by processing requests via the Hypertext Transfer Protocol (HTTP).
What is the impact? #
Successful exploitation of the vulnerability could allow a low-privileged remote attacker to execute arbitrary code on the affected system.
Are updates or workarounds available? #
Upgrade affected systems to the new versions
- Apache HTTP Server: Version 2.4.67
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Apache AND product:=HTTPD AND version:>0 AND version:=2.4.66October 2021: CVE-2021-41773 #
The Apache Software Foundation recently announced a path traversal vulnerability present in version 2.4.49 of the Apache HTTP Server software. Due to insufficient coverage of potential path traversal characters in the URL, an unauthenticated attacker can read files outside of the document root and even execute system commands in some configurations. While this vulnerability (CVE-2021-41773) only affects version 2.4.49 (and 2.4.50 as a variant), it was exploited in the wild to Apache publishing their security advisory.
Update: The 2.4.50 fix was incomplete and we strongly recommend upgrading to 2.4.51 or newer.
How to find potentially vulnerable Apache HTTP Servers #
From the Service Inventory, use the following pre-built query to locate vulnerable Apache HTTP Server instances in your network:
product:"apache httpd" AND protocol:http AND (http.head.server:"Apache/2.4.49" OR http.head.server:"Apache/2.4.50")
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Try runZero #
Don't have runZero and need help finding your Apache HTTP Server instances? Start your trial today.
