Description
HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a response splitting flaw located in several modules of the Apache HTTP Server. It allows attackers to insert malicious header lines through untrusted or compromised backend servers, which can lead to the injection of arbitrary HTTP headers and status lines into the response stream. This weakness is categorized as CWE-443 and NVD-CWE-Other and can enable attackers to manipulate the server’s output for potential downstream attacks such as cache poisoning, session fixation, or cross‑site scripting, depending on how the injected headers are processed by clients.

Affected Systems

Apache HTTP Server versions up to and including 2.4.66 are affected. The software is distributed by the Apache Software Foundation.

Risk and Exploitability

There is no EPSS score or KEV listing available in the data, but the CVSS score of 6.5 indicates a moderate severity flaw. Nevertheless, the flaw permits an attacker to alter HTTP headers sent by the server, an action that can be leveraged in many attack scenarios. Because the flaw originates from untrusted backend data, an attacker with control over a backend service can exploit the vulnerability without needing further permissions on the Apache instance itself. The moderate CVSS score combined with the potential for widespread HTTP manipulation suggests a significant risk level in environments that rely on untrusted backend responses.

Generated by OpenCVE AI on May 4, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later.
  • Validate and encode any headers received from backend servers before forwarding them to clients.
  • Limit the use of modules that forward raw backend headers or disable them if not required for legitimate functionality.

Generated by OpenCVE AI on May 4, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
Weaknesses CWE-443
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T17:32:49.282Z

Reserved: 2026-03-20T17:29:39.696Z

Link: CVE-2026-33523

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:49.282Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T15:16:04.227

Modified: 2026-05-04T20:21:15.483

Link: CVE-2026-33523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T22:00:11Z

Weaknesses