Introduced release of HTTP server Apache 2.4.67, which eliminates 11 vulnerabilities and several dozen changes have been made. The most dangerous vulnerability (CVE-2026-23918) is caused by a double free in the module mod_http2 and can potentially lead to remote code execution on the server through manipulation of the HTTP/2 protocol. The vulnerability appears only in release 2.4.66. The problem is assigned a severity level of 8.8 out of 10.
Another vulnerability (CVE-2026-24072), which has a severity level of 8.8, is present in the module mod_rewrite and allows local hosting users who have the right to create “.htaccess” files to read the contents of any files on the system with the privileges of the user under which the httpd process is running.
Less dangerous vulnerabilities:
- CVE-2026-28780 – a buffer overflow in mod_proxy_ajp, which can be exploited when connecting a proxy to a malicious one AJP server. By sending specially formatted AJP messages (Apache JServ Protocol), it is possible to write 4 bytes beyond the bounds of the allocated buffer.
- CVE-2026-29168 – lack of proper resource limitation when processing a specially formatted OCSP response in mod_md.
- CVE-2026-29169 – null pointer dereference in the mod_dav_lock module, which can used to cause an abnormal termination of a server process.
- CVE-2026-33006 – a side-channel attack (latency analysis) on mod_auth_digest, which allows you to bypass Digest authentication.
- CVE-2026-33007 is a NULL pointer dereference in the mod_authn_socache module that can be used to cause a child process to crash in configurations with a caching proxy.
- CVE-2026-33523