Description
A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.
Published: 2026-03-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Corrupted response body via CRLF injection leading to potential information disclosure
Action: Apply Workaround
AI Analysis

Impact

CVE-2026-3234 identifies a flaw in Apache mod_proxy_cluster where a carriage return line feed (CRLF) injection in the decodeenc() function allows a remote attacker to bypass input validation. The attacker can inject CRLF sequences into the cluster configuration, corrupting the response body of INFO endpoint responses. This does not provide execution privileges but can expose manipulated data or create confusion in downstream components. The CVSS score of 4.3 indicates moderate severity, reflecting limited impact confined to the INFO endpoint and no authenticated privileges.

Affected Systems

The vulnerability affects Red Hat Enterprise Linux 9 and 10 as well as Red Hat JBoss Core Services, all of which ship with mod_proxy_cluster. Any system running these products and exposing the MCMP protocol (typically port 6666) is at risk. Specific product versions are not enumerated in the CNA data; however, all current releases of the affected products include the vulnerable module unless patched by Red Hat.

Risk and Exploitability

Exploitation requires network access to the MCMP protocol port and does not require authentication, but the EPSS score of less than 1% indicates a low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog, further suggesting it is not widely exploited in the wild. The primary attack vector is remote network traffic targeting the open MCMP port, which can be mitigated by restricting inbound connections to trusted internal or management networks. Without such controls, an attacker could inject CRLF sequences and corrupt INFO responses, potentially revealing manipulated configuration data or causing unintended behavior in cluster communication.

Generated by OpenCVE AI on April 16, 2026 at 02:47 UTC.

Remediation

Vendor Workaround

Restrict network access to the MCMP protocol port (typically 6666) for systems running Apache mod_proxy_cluster. Configure firewall rules to limit inbound connections to this port only from trusted internal or management networks. This action reduces the attack surface by preventing unauthorized remote access to the vulnerable service. A service reload or restart may be required for firewall changes to take full effect.

OpenCVE Recommended Actions

  • Restrict network access to the MCMP protocol port (typically 6666) for systems running Apache mod_proxy_cluster, configuring firewall rules to limit inbound connections to trusted internal or management networks.
  • Apply the latest Red Hat security updates for Red Hat Enterprise Linux 9/10 and Red Hat JBoss Core Services to patch the vulnerable mod_proxy_cluster module.
  • Monitor inbound MCMP traffic and system logs for anomalous connections or unexpected response content to detect potential exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.
Title mod_proxy_cluster: apache mod_proxy_cluster: Response body corruption via CRLF injection Mod_proxy_cluster: mod_proxy_cluster: response body corruption via crlf injection
First Time appeared Redhat
Redhat enterprise Linux
Redhat jboss Core Services
CPEs cpe:/a:redhat:jboss_core_services:1
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat jboss Core Services
References

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mod Proxy Cluster
Vendors & Products Apache
Apache mod Proxy Cluster

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title mod_proxy_cluster: apache mod_proxy_cluster: Response body corruption via CRLF injection
Weaknesses CWE-93
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Low

Subscriptions

Apache Mod Proxy Cluster
Redhat Enterprise Linux Jboss Core Services
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-12T13:15:53.651Z

Reserved: 2026-02-26T00:17:46.458Z

Link: CVE-2026-3234

cve-icon Vulnrichment

Updated: 2026-03-12T13:15:49.984Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T11:15:57.147

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-3234

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-26T00:00:00Z

Links: CVE-2026-3234 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses