Description
Out-of-bounds Read vulnerability in mod_proxy_ajp of

Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an off‑by‑one out‑of‑bounds read in the mod_proxy_ajp module of the Apache HTTP Server. The flaw allows an attacker to read memory beyond a buffer boundary, potentially exposing sensitive data that resides in the process's memory space. The weakness is classified as CWE-125 and can lead to the disclosure of confidential information to a remote attacker.

Affected Systems

All installations of Apache HTTP Server up to and including version 2.4.66 are affected. The most recent version that contains the fix is 2.4.67.

Risk and Exploitability

The vulnerability is publicly documented but has no reported exploitation instances. The CVSS score is 5.3, indicating moderate severity. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, indicating that known exploitation is either absent or low. The attack vector is likely remote, mediated through AJP requests received by the server; this inference is based on the affected mod_proxy_ajp component.

Generated by OpenCVE AI on May 4, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apache HTTP Server to version 2.4.67 or newer to eliminate the flaw.
  • If an immediate upgrade is not possible, disable the mod_proxy_ajp module or block AJP traffic from untrusted networks to prevent exploitation.
  • Ensure that any remaining AJP listeners are bound only to trusted interfaces and that SSL/TLS is enforced for remote connections to mitigate potential data leakage.

Generated by OpenCVE AI on May 4, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache http Server
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Vendors & Products Apache http Server

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 04 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: Off-by-one OOB reads in AJP getter functions
Weaknesses CWE-125
References

Subscriptions

Apache Apache Http Server Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T17:32:50.362Z

Reserved: 2026-03-24T09:20:11.213Z

Link: CVE-2026-33857

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:50.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T14:16:33.253

Modified: 2026-05-04T20:26:20.463

Link: CVE-2026-33857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:00:04Z

Weaknesses