Security Advisory - Published 2026-06-08 - Apache httpd

Apache HTTP Server 2.4.68: CVE Self-Check for LDAP, WebDAV, Proxy, SSL, and HTTP/2

Apache HTTP Server 2.4.68 was released with fixes for several 2.4.x vulnerabilities. New monitor hits added CVE-2026-29167 in mod_ldap, CVE-2026-44186 in mod_proxy_ftp, and CVE-2026-44631 in regex configuration handling. The same update fixes WebDAV, proxy, XML, SSL, and HTTP/2 issues. Confirm the running version, check loaded modules, upgrade to 2.4.68, and restart Apache.

Scope: This is a patch and configuration guide. It does not include exploit traffic or crash samples.

What is affected

CVEAreaAffected versionsOperator note
CVE-2026-29167mod_ldap per-directory configuration2.4.0 through 2.4.67NVD scores this critical, while Apache lists vendor severity as low. Check LDAP-authenticated locations.
CVE-2026-42535mod_dav_fs WebDAV property database handling2.4.67 and earlierHigher concern when WebDAV authoring is enabled for users or customers.
CVE-2026-44186mod_proxy_ftp infinite loop2.4.0 through 2.4.67Relevant on old FTP proxy setups, especially when backend FTP content is not fully trusted.
CVE-2026-44631Regular-expression configuration handling2.4.0 through 2.4.67Review crafted or user-maintained regex rules in Apache configuration and included vhost files.
CVE-2026-34355mod_proxy_html buffer overflow2.4.0 through 2.4.67Higher concern when Apache proxies untrusted backend content.
CVE-2026-34356ProxyPassReverseCookie* heap overflow2.4.0 through 2.4.67Review reverse proxy cookie rewriting.
CVE-2026-42536mod_xml2enc heap overflow2.4.0 through 2.4.67Relevant when XML conversion modules are loaded.
CVE-2026-44185mod_ssl OCSP buffer over-read2.4.0 through 2.4.67Watch outbound OCSP behavior and TLS module exposure.
CVE-2026-48913mod_http2 use-after-free2.4.55 through 2.4.67Relevant when HTTP/2 is enabled and file handles are exhausted.

10-minute self-check

Step 1: Check the running version

apache2 -v 2>/dev/null || httpd -v 2>/dev/null

If the server reports 2.4.67 or earlier, plan the 2.4.68 update. Container images and control panels may lag behind package repositories, so check the running binary, instead of relying on package metadata alone.

Step 2: Check loaded modules

apache2ctl -M 2>/dev/null | egrep 'ldap|authnz_ldap|dav|dav_fs|proxy_ftp|proxy_html|proxy|xml2enc|ssl|http2'
httpd -M 2>/dev/null | egrep 'ldap|authnz_ldap|dav|dav_fs|proxy_ftp|proxy_html|proxy|xml2enc|ssl|http2'

Loaded modules do not prove exploitation. They tell you which part of the advisory applies to your server and which logs/configs to review after patching.

Step 3: Check WebDAV exposure

grep -Rni 'DAV On\|DavLockDB\|Alias.*dav\|LimitExcept\|Require user\|Require group' /etc/apache2 /etc/httpd 2>/dev/null | head -100

CVE-2026-42535 needs attention when WebDAV authoring is available. Focus on locations that let customers, editors, or application users write content through Apache rather than through a separate application.

Step 4: Search reverse proxy configuration

grep -Rni 'AuthLDAPURL\|LDAPVerifyServerCert\|ProxyPass\|ProxyPassReverse\|ProxyPassReverseCookie\|proxy:ftp\|ftp://\|mod_proxy_html\|H2\|SetEnvIf\|SetEnvIfNoCase\|RewriteRule\|FilesMatch\|LocationMatch\|DirectoryMatch' /etc/apache2 /etc/httpd 2>/dev/null | head -120

Prioritize LDAP-authenticated directories, reverse proxy cookie rewriting, and old FTP proxy routes. Also review regex-heavy configuration that came from old snippets, customer-managed vhosts, or copied WAF rules. Proxy-related issues matter more when the backend is managed by a partner, customer, or legacy system outside your normal release process.

Patch path

Debian / Ubuntu

sudo apt update
sudo apt install --only-upgrade apache2
apache2 -v
sudo systemctl restart apache2

RHEL / Rocky / AlmaLinux

sudo dnf update httpd
httpd -v
sudo systemctl restart httpd

Container images

docker images | grep -i httpd
docker pull httpd:2.4
docker compose up -d

After patching

  • Restart Apache and confirm the running process reports 2.4.68.
  • If LDAP authentication is enabled, review per-directory LDAP settings and test login after the restart.
  • If WebDAV is enabled, review DAV locations, author accounts, and property database paths.
  • If mod_proxy_ftp is loaded, confirm whether any FTP proxy routes are still needed.
  • Review regex-based directives in included vhost files, especially rules maintained outside your normal deployment process.
  • Watch error logs for child crashes, segmentation faults, or repeated worker restarts.
  • For reverse proxy sites, confirm backend trust boundaries and cookie rewrite rules.
  • For HTTP/2 sites, check whether file descriptor exhaustion alerts appeared before the patch.
  • Keep a rollback plan, but do not leave 2.4.67 running on internet-facing servers.

Ping7 repair path

Ping7 can review Apache versions, loaded modules, LDAP locations, WebDAV paths, proxy config, and post-patch logs. Start from CVE Repair and include your Apache version, OS, whether LDAP/WebDAV/reverse proxy is enabled, and any worker crash logs.

References