Apache HTTP Server 2.4.68 fixes 13 security vulnerabilities

Apache HTTP Server 2.4.68 is now available with fixes for 13 security vulnerabilities affecting multiple modules, including mod_http2, mod_proxy_ftp, mod_proxy_html, mod_ssl, mod_ldap, mod_dav_fs, and mod_xml2enc.

The Apache Software Foundation released the update on June 8, 2026. In the official Apache HTTP Server 2.4.68 announcement, the project described the release as a security, feature, and bug fix update, and encouraged users of all previous versions to upgrade.

The fixed issues include use-after-free bugs, denial-of-service flaws, cross-site scripting, buffer overflows, an out-of-bounds read, and a local privilege escalation issue involving .htaccess expressions.

Apache 2.4.68 addresses low and moderate severity flaws

Apache’s official severity ratings for this release range from low to moderate. That does not mean admins should ignore the update, since some issues can crash worker processes, expose sensitive files in specific local-author scenarios, or become more serious in proxy and backend configurations.

The project’s Apache HTTP Server 2.4 vulnerability list confirms that all 13 vulnerabilities were fixed in version 2.4.68. Many affect Apache HTTP Server 2.4.67 and earlier, although some have narrower affected ranges.

Admins should pay special attention to servers that enable HTTP/2, proxy FTP traffic, proxy HTML content from untrusted backends, support WebDAV authoring, or allow local users to control .htaccess files.

CVE	Module or feature	Apache rating	Issue type
CVE-2026-29167	mod_ldap	Low	Use-after-free
CVE-2026-29170	mod_proxy_ftp	Low	Cross-site scripting
CVE-2026-34355	mod_proxy_html	Moderate	Buffer overflow
CVE-2026-34356	ProxyPassReverseCookieMap	Low	Heap-based buffer overflow
CVE-2026-42535	mod_dav_fs	Moderate	Path handling issue
CVE-2026-42536	mod_xml2enc	Low	Heap-based buffer overflow
CVE-2026-43951	mod_headers and mod_mime	Moderate	Out-of-bounds read
CVE-2026-44119	.htaccess expressions	Moderate	Privilege escalation
CVE-2026-44185	mod_ssl OCSP	Low	Stack buffer over-read
CVE-2026-44186	mod_proxy_ftp	Moderate	Denial of service
CVE-2026-44631	ap_regname	Low	Heap underflow
CVE-2026-48913	mod_http2	Low	Use-after-free
CVE-2026-49975	mod_http2	Moderate	Denial of service

HTTP/2 and proxy modules receive important fixes

Two of the fixed flaws affect mod_http2. CVE-2026-48913 is a use-after-free vulnerability that can occur when file handles are already exhausted. It affects Apache HTTP Server versions 2.4.55 through 2.4.67.

CVE-2026-49975 is a denial-of-service issue in mod_http2 involving excessive memory allocation. Apache says this issue affects versions 2.4.17 through 2.4.67 and can be triggered through malicious HTTP requests.

Proxy-related fixes also make up a major part of this release. CVE-2026-29170 affects mod_proxy_ftp and can allow cross-site scripting when Apache generates HTML directory listings for FTP contents. CVE-2026-44186, also in mod_proxy_ftp, can trigger an infinite loop through an attacker-controlled backend FTP server.

• CVE-2026-34355 fixes a mod_proxy_html buffer overflow that can be triggered by an untrusted backend.
• CVE-2026-34356 fixes a heap-based buffer overflow involving malicious backend servers and ProxyPassReverseCookieMap behavior.
• CVE-2026-29170 affects FTP directory listing output in proxy configurations.
• CVE-2026-44186 can cause a denial-of-service condition through mod_proxy_ftp.

Memory corruption and local privilege risks fixed

Apache 2.4.68 also fixes several memory safety issues outside HTTP/2 and proxy handling. CVE-2026-29167 is a mod_ldap use-after-free issue in per-directory configuration, affecting versions 2.4.0 through 2.4.67.

CVE-2026-42536 affects mod_xml2enc and involves a heap-based buffer overflow when handling untrusted content. CVE-2026-44631 affects ap_regname and involves a heap underflow caused by crafted regular expressions in configuration.

The release also fixes CVE-2026-43951, an out-of-bounds read in merge_response_headers involving mod_headers, mod_mime, and multiple response languages. Apache says the issue can cause a child process crash.

Risk area	Relevant CVEs	What admins should check
HTTP/2	CVE-2026-48913, CVE-2026-49975	Check whether mod_http2 is enabled and whether servers run affected Apache versions.
Proxy features	CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-44186	Review reverse proxy, forward proxy, FTP proxy, and untrusted backend exposure.
Local user configuration	CVE-2026-44119	Review systems where local users can write .htaccess files.
WebDAV	CVE-2026-42535	Check deployments that allow WebDAV authors to manage content.
TLS and OCSP	CVE-2026-44185	Review outbound OCSP behavior when servers may contact attacker-controlled OCSP responders.

Why admins should upgrade to Apache 2.4.68

The Apache HTTP Server project says version 2.4.68 is the best available release from the 2.4.x stable branch. The Apache release notice also says users of all previous versions should upgrade.

The update matters even if a server does not use every affected module. Apache often runs in complex hosting, reverse proxy, application gateway, and enterprise environments where enabled modules, backend trust boundaries, and local author permissions may vary between systems.

Version 2.4.68 is available from the official Apache HTTP Server download page. Admins who install Apache through Linux distributions or managed hosting platforms should also check their vendor repositories for patched builds.

What security teams should do now

Security teams should first inventory internet-facing and internal Apache HTTP Server instances, then identify version numbers and enabled modules. Priority should go to systems exposed to untrusted traffic, reverse proxies, HTTP/2 endpoints, and shared hosting environments where .htaccess files are used.

Admins should also review whether servers use mod_proxy_ftp, mod_proxy_html, WebDAV, mod_http2, mod_ssl OCSP behavior, mod_ldap, mod_xml2enc, mod_headers, or mod_mime in ways that match the fixed flaws in the official Apache vulnerability notes.

After upgrading, teams should restart affected services, confirm that Apache reports version 2.4.68 or a vendor-patched equivalent, and test critical websites, reverse proxy paths, TLS behavior, WebDAV workflows, and HTTP/2 traffic.

• Upgrade Apache HTTP Server to 2.4.68 or a distribution-provided patched equivalent.
• Prioritize internet-facing web servers and reverse proxies.
• Review whether affected modules are enabled.
• Restart Apache after patching and confirm the active version.
• Test application behavior after the update, especially proxy, HTTP/2, TLS, and WebDAV paths.

The official Apache download page provides the updated source release. Organizations using packaged builds should follow their operating system vendor’s update process, but should still make sure the installed build includes the 2.4.68 security fixes.

FAQ