🚀 runZero 4.9 is here: Map the unmappable. Secure every path. More
runZero CAASM

On This Page:

  1. Latest Apache HTTP Server vulnerability: CVE-2026-23918
  2. What is Apache HTTP Server?
  3. What is the impact?
  4. Are updates or workarounds available?
  5. How to find potentially vulnerable systems with runZero
  6. October 2021: CVE-2021-41773
  7. How to find potentially vulnerable Apache HTTP Servers
  8. Try runZero

How to find Apache HTTP Server instances

Matthew Kienow
Pearce Barry
|
Updated

Latest Apache HTTP Server vulnerability: CVE-2026-23918 #

Apache disclosed that certain versions of Apache HTTP Server are affected by a double free vulnerability that may lead to remote code execution (RCE). This flaw occurs within the HTTP/2 protocol implementation when a stream undergoes an "early reset." While further technical details are not publicly available at this time, the vulnerability involves a memory management error triggered during specific HTTP/2 communication sequences. The vulnerability, designated CVE-2026-23918, is rated high with a base CVSS score of 8.8.

The following versions are affected

  • Apache HTTP Server: Version 2.4.66

    What is Apache HTTP Server? #

    Apache HTTP Server is an open-source, cross-platform application that serves web content by processing requests via the Hypertext Transfer Protocol (HTTP).

    What is the impact? #

    Successful exploitation of the vulnerability could allow a low-privileged remote attacker to execute arbitrary code on the affected system.

    Are updates or workarounds available? #

    Upgrade affected systems to the new versions

    • Apache HTTP Server: Version 2.4.67

    How to find potentially vulnerable systems with runZero #

    From the Software Inventory, use the following query to locate potentially impacted assets:

    vendor:=Apache AND product:=HTTPD AND version:>0 AND version:=2.4.66

    October 2021: CVE-2021-41773 #

    The Apache Software Foundation recently announced a path traversal vulnerability present in version 2.4.49 of the Apache HTTP Server software. Due to insufficient coverage of potential path traversal characters in the URL, an unauthenticated attacker can read files outside of the document root and even execute system commands in some configurations. While this vulnerability (CVE-2021-41773) only affects version 2.4.49 (and 2.4.50 as a variant), it was exploited in the wild to Apache publishing their security advisory.

    Update: The 2.4.50 fix was incomplete and we strongly recommend upgrading to 2.4.51 or newer.

    How to find potentially vulnerable Apache HTTP Servers #

    From the Service Inventory, use the following pre-built query to locate vulnerable Apache HTTP Server instances in your network:

    product:"apache httpd" AND protocol:http AND (http.head.server:"Apache/2.4.49" OR http.head.server:"Apache/2.4.50")
    Find vulnerable Apache HTTP Servers

    As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

    Try runZero #

    Don't have runZero and need help finding your Apache HTTP Server instances? Start your trial today.

    Written by Matthew Kienow

    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

    More about Matthew Kienow

    Written by Pearce Barry

    More about Pearce Barry
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    Explore more

    Watch Now • On Demand
    Vulnerability management is broken: what's the fix?

    HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

    Watch Now
    runZero Hour, Episode 17
    The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
    On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
    Watch Now
    Product Release
    Tackling the New Era of Exposure Management
    Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
    Read More
    Webcast
    The Unreasonable Effectiveness of Inside Out Attack Surface Management
    HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
    Watch Now

    See Results in Minutes

    See & secure your total attack surface. Even the unknowns & unmanageable.

    Try runZero for Free
    runZero CAASM
    © Copyright 2026 runZero, Inc. All Rights Reserved