Security Advisory - Published 2026-06-08 - Apache httpd
Apache HTTP Server 2.4.68: CVE Self-Check for LDAP, WebDAV, Proxy, SSL, and HTTP/2
Apache HTTP Server 2.4.68 was released with fixes for several 2.4.x vulnerabilities.
New monitor hits added CVE-2026-29167 in mod_ldap, CVE-2026-44186
in mod_proxy_ftp, and CVE-2026-44631 in regex configuration handling.
The same update fixes WebDAV, proxy, XML, SSL, and HTTP/2 issues. Confirm the running version, check loaded modules, upgrade to
2.4.68, and restart Apache.
What is affected
| CVE | Area | Affected versions | Operator note |
|---|---|---|---|
| CVE-2026-29167 | mod_ldap per-directory configuration | 2.4.0 through 2.4.67 | NVD scores this critical, while Apache lists vendor severity as low. Check LDAP-authenticated locations. |
| CVE-2026-42535 | mod_dav_fs WebDAV property database handling | 2.4.67 and earlier | Higher concern when WebDAV authoring is enabled for users or customers. |
| CVE-2026-44186 | mod_proxy_ftp infinite loop | 2.4.0 through 2.4.67 | Relevant on old FTP proxy setups, especially when backend FTP content is not fully trusted. |
| CVE-2026-44631 | Regular-expression configuration handling | 2.4.0 through 2.4.67 | Review crafted or user-maintained regex rules in Apache configuration and included vhost files. |
| CVE-2026-34355 | mod_proxy_html buffer overflow | 2.4.0 through 2.4.67 | Higher concern when Apache proxies untrusted backend content. |
| CVE-2026-34356 | ProxyPassReverseCookie* heap overflow | 2.4.0 through 2.4.67 | Review reverse proxy cookie rewriting. |
| CVE-2026-42536 | mod_xml2enc heap overflow | 2.4.0 through 2.4.67 | Relevant when XML conversion modules are loaded. |
| CVE-2026-44185 | mod_ssl OCSP buffer over-read | 2.4.0 through 2.4.67 | Watch outbound OCSP behavior and TLS module exposure. |
| CVE-2026-48913 | mod_http2 use-after-free | 2.4.55 through 2.4.67 | Relevant when HTTP/2 is enabled and file handles are exhausted. |
10-minute self-check
Step 1: Check the running version
apache2 -v 2>/dev/null || httpd -v 2>/dev/null If the server reports 2.4.67 or earlier, plan the 2.4.68 update. Container images and control panels may lag behind package repositories, so check the running binary, instead of relying on package metadata alone.
Step 2: Check loaded modules
apache2ctl -M 2>/dev/null | egrep 'ldap|authnz_ldap|dav|dav_fs|proxy_ftp|proxy_html|proxy|xml2enc|ssl|http2'
httpd -M 2>/dev/null | egrep 'ldap|authnz_ldap|dav|dav_fs|proxy_ftp|proxy_html|proxy|xml2enc|ssl|http2' Loaded modules do not prove exploitation. They tell you which part of the advisory applies to your server and which logs/configs to review after patching.
Step 3: Check WebDAV exposure
grep -Rni 'DAV On\|DavLockDB\|Alias.*dav\|LimitExcept\|Require user\|Require group' /etc/apache2 /etc/httpd 2>/dev/null | head -100 CVE-2026-42535 needs attention when WebDAV authoring is available. Focus on locations that let customers, editors, or application users write content through Apache rather than through a separate application.
Step 4: Search reverse proxy configuration
grep -Rni 'AuthLDAPURL\|LDAPVerifyServerCert\|ProxyPass\|ProxyPassReverse\|ProxyPassReverseCookie\|proxy:ftp\|ftp://\|mod_proxy_html\|H2\|SetEnvIf\|SetEnvIfNoCase\|RewriteRule\|FilesMatch\|LocationMatch\|DirectoryMatch' /etc/apache2 /etc/httpd 2>/dev/null | head -120 Prioritize LDAP-authenticated directories, reverse proxy cookie rewriting, and old FTP proxy routes. Also review regex-heavy configuration that came from old snippets, customer-managed vhosts, or copied WAF rules. Proxy-related issues matter more when the backend is managed by a partner, customer, or legacy system outside your normal release process.
Patch path
Debian / Ubuntu
sudo apt update
sudo apt install --only-upgrade apache2
apache2 -v
sudo systemctl restart apache2 RHEL / Rocky / AlmaLinux
sudo dnf update httpd
httpd -v
sudo systemctl restart httpd Container images
docker images | grep -i httpd
docker pull httpd:2.4
docker compose up -d After patching
- Restart Apache and confirm the running process reports 2.4.68.
- If LDAP authentication is enabled, review per-directory LDAP settings and test login after the restart.
- If WebDAV is enabled, review DAV locations, author accounts, and property database paths.
- If mod_proxy_ftp is loaded, confirm whether any FTP proxy routes are still needed.
- Review regex-based directives in included vhost files, especially rules maintained outside your normal deployment process.
- Watch error logs for child crashes, segmentation faults, or repeated worker restarts.
- For reverse proxy sites, confirm backend trust boundaries and cookie rewrite rules.
- For HTTP/2 sites, check whether file descriptor exhaustion alerts appeared before the patch.
- Keep a rollback plan, but do not leave 2.4.67 running on internet-facing servers.
Ping7 repair path
Ping7 can review Apache versions, loaded modules, LDAP locations, WebDAV paths, proxy config, and post-patch logs. Start from CVE Repair and include your Apache version, OS, whether LDAP/WebDAV/reverse proxy is enabled, and any worker crash logs.