The Apache Software Foundation released HTTP Server 2.4.67 on May 4, 2026, addressing 11 security vulnerabilities. The most severe is CVE-2026-23918 (CVSS 8.8), a double-free memory corruption flaw in Apache’s HTTP/2 implementation that can enable remote code execution. A separate moderate-severity issue, CVE-2026-24072, allows any user with write access to a .htaccess file to read files belonging to other accounts on the same server. For providers running shared hosting at scale, those two vulnerabilities together make the 2.4.67 patch urgent.
CVE-2026-23918: How a Crafted HTTP/2 Frame Opens the Door to Code Execution
CVE-2026-23918 is classified as a CWE-415 double-free vulnerability. It is present exclusively in Apache HTTP Server 2.4.66 and not in earlier versions. The flaw sits in the HTTP/2 protocol handler: when a client sends a crafted “early stream reset” frame, the server attempts to free the same memory region twice. That corrupts the heap, and depending on how the corruption is exploited, it can redirect execution flow and allow an attacker to run arbitrary code on the server.
The CVSS 8.8 score reflects the following: the flaw is reachable over the network, requires no user interaction, requires only low-level privileges from the attacker, and produces high impact across confidentiality, integrity, and availability.
Researchers Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl) reported the vulnerability to the Apache security team on December 10, 2025. The public patch shipped as part of 2.4.67 on May 4, 2026, five months after the private report. A fix had been committed internally the day after the initial report, meaning the patch existed well before the CVE became public knowledge. No confirmed exploitation in the wild has been reported as of May 5, 2026.
For servers that cannot be patched immediately, disabling HTTP/2 removes the attack surface for this specific vulnerability without requiring a full server upgrade.
CVE-2026-24072: Every Shared Hosting Customer Is a Potential Threat to the Others
CVE-2026-24072 is a privilege escalation flaw in mod_rewrite, rated moderate. It affects Apache HTTP Server through 2.4.66. The flaw is in how mod_rewrite evaluates ap_expr expressions when processing .htaccess files. A user with write access to a .htaccess file can craft an expression that causes the httpd process to read files outside that user’s own directory, using the privileges of the httpd user account itself.
In a shared hosting environment, .htaccess write access is standard. Every customer has it. CVE-2026-24072 means that any customer on an unpatched shared server can potentially read files belonging to other accounts on the same machine, including configuration files, application credentials, or private data stored in adjacent directories. The researcher identified as y7syeu reported the flaw on January 20, 2026.
Unlike the HTTP/2 RCE, this vulnerability does not require an external attacker. It requires a user who already holds a hosting account on the affected server. For providers with hundreds or thousands of shared hosting customers, the exposure is proportional to the number of accounts.
CVE-2026-33006 and the Eight Low-Severity Issues in the Same Patch
The third noteworthy vulnerability in the 2.4.67 release is CVE-2026-33006 (moderate), a timing attack against mod_auth_digest. An unauthenticated remote attacker can exploit timing differences in the server’s digest authentication response to bypass authentication. Digest authentication is less common in modern deployments but remains in use in legacy configurations, particularly on older shared hosting stacks and internally facing admin panels.
Eight additional CVEs in the patch are rated low severity. Four of them affect mod_proxy_ajp, the module used to proxy requests to Java application servers via the AJP protocol:
- CVE-2026-28780: Heap buffer overflow in mod_proxy_ajp, exploitable if the server connects to a malicious AJP backend
- CVE-2026-33857: Off-by-one out-of-bounds reads in AJP getter functions
- CVE-2026-34032: Improper null termination and out-of-bounds read in mod_proxy_ajp
- CVE-2026-34059: Buffer over-read and memory disclosure in mod_proxy_ajp
The concentration of four separate AJP vulnerabilities in a single release reflects sustained security research attention on that module. Providers using Apache in front of Tomcat or other Java backends over AJP should treat this set as higher priority than the low rating suggests individually.
The remaining four low-severity CVEs are:
- CVE-2026-29168: Resource exhaustion in mod_md via unrestricted OCSP response data (affects 2.4.30 through 2.4.66)
- CVE-2026-29169: NULL pointer dereference in mod_dav_lock; crashes the server process on a malicious request. Removing mod_dav_lock from the configuration mitigates this without patching.
- CVE-2026-33007: NULL pointer dereference in mod_authn_socache in caching forward proxy setups
- CVE-2026-33523: HTTP response splitting across multiple modules when backends are untrusted or compromised
Upgrade, Disable HTTP/2, or Remove the Module: Three Options, One Deadline
The complete fix for all 11 vulnerabilities is upgrading to Apache HTTP Server 2.4.67. For the HTTP/2 RCE (CVE-2026-23918), disabling HTTP/2 is a temporary mitigation that removes the specific attack vector without a full upgrade. For mod_dav_lock (CVE-2026-29169), removing the module from the active configuration is sufficient if the module is not in use.
Apache HTTP Server runs on 23.7% of all websites globally, according to W3Techs data from May 2026. Most managed hosting environments built on cPanel or Plesk use Apache as their primary web server. Whether a specific provider’s stack is already patched depends on how quickly the control panel vendor integrates 2.4.67. Providers who manage Apache independently of a control panel vendor should apply the update directly and not wait on a packaged release.
The combination of a network-exploitable CVSS 8.8 RCE and a shared hosting privilege escalation flaw in the same release is unusual. Either vulnerability on its own would be sufficient reason to treat 2.4.67 as an urgent patch. Together, they make the update a priority for any provider whose customers share server resources.
Natalia Nowak
Hosting specialist with e-commerce experience and a background in copywriting. I focus on content that is clear, technical, and to the point.
Sources
- Apache HTTP Server 2.4 Vulnerabilities, Apache Software Foundation (official advisory)
- CVE-2026-23918, National Vulnerability Database (NIST)
- CVE-2026-23918: Apache HTTP Server http2 double free and possible RCE on early reset, OSS Security mailing list
- Critical Apache HTTP Server Flaw Exposes Millions of Servers to Remote Code Execution Attacks, Cybersecurity News
- Usage Statistics of Apache for Websites, W3Techs (May 2026)