Description
Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap-based buffer overflow in the mod_proxy_ajp component allows a malicious AJP server to send an crafted message that causes the server to write four attacker‑controlled bytes beyond the end of a heap buffer. This flaw is classified as CWE‑122 and can lead to manipulation of server memory that may execute arbitrary code.

Affected Systems

The vulnerability affects all Apache HTTP Server releases up through version 2.4.66. The affected product is the Apache HTTP Server, as distributed by the Apache Software Foundation.

Risk and Exploitability

The attack requires control of an AJP server that the web server connects to. The EPSS score is <1% and the vulnerability is not listed in CISA KEV, but the CVSS score of 9.8 indicates a critical severity. The nature of a heap‑overflow flaw suggests it could be exploitable by remote actors if they can influence the AJP communication channel, presenting a high risk if the conditions for exploitation are met.

Generated by OpenCVE AI on May 6, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later to apply the patch that eliminates the overflow condition.
  • If mod_proxy_ajp is not required for your environment, remove or comment out the ProxyPass directive that enables it to prevent the vulnerable code path from executing.
  • Configure network access to the AJP port to allow connections only from trusted internal hosts or VPN endpoints, limiting the ability of an attacker to direct malicious AJP traffic to the server.

Generated by OpenCVE AI on May 6, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4571-1 [ERRATUM] [DLA 4571-1] apache2 security update
Debian DSA Debian DSA DSA-6248-1 apache2 security update
Ubuntu USN Ubuntu USN USN-8239-1 Apache HTTP Server vulnerabilities
History

Wed, 06 May 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 05 May 2026 23:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
Weaknesses CWE-122
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-06T15:50:18.682Z

Reserved: 2026-03-03T12:31:23.999Z

Link: CVE-2026-28780

cve-icon Vulnrichment

Updated: 2026-05-06T15:49:53.062Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T22:16:00.390

Modified: 2026-05-06T20:31:10.843

Link: CVE-2026-28780

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-05T21:29:41Z

Links: CVE-2026-28780 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T17:30:08Z

Weaknesses