Description
Buffer Over-read vulnerability in Apache HTTP Server.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Published: 2026-05-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap over‑read in Apache HTTP Server’s mod_proxy_ajp component, specifically the ajp_parse_data() function, allows an attacker to read uninitialized memory. This can lead to disclosure of sensitive data contained in the process’s address space and is identified as CWE‑126. The vulnerability is limited to the AJP protocol handling and does not immediately impact authentication or integrity.

Affected Systems

Apache Software Foundation’s Apache HTTP Server, versions up through and including 2.4.66. No other vendor or product is affected according to the CNA data.

Risk and Exploitability

The likely attack vector involves sending a crafted AJP request to an Apache instance that has mod_proxy_ajp enabled. Based on the description, it is inferred that an attacker who can reach the AJP endpoint may exploit the buffer over‑read to read uninitialized memory. With a CVSS score of 7.5, this is a high‑severity vulnerability when AJP is exposed over an untrusted network. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, so a definitive threat likelihood cannot be quantified, but the impact remains significant if the AJP endpoint is reachable.

Generated by OpenCVE AI on May 4, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later, which contains the fix for the heap over‑read in ajp_parse_data().
  • If the AJP protocol is not required for business operations, disable mod_proxy_ajp on the affected servers to eliminate the attack surface.
  • Restrict AJP access to trusted internal networks or apply firewall rules to block external traffic to the AJP endpoint.

Generated by OpenCVE AI on May 4, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Title Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()
Weaknesses CWE-126
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T17:32:52.565Z

Reserved: 2026-03-25T16:18:03.089Z

Link: CVE-2026-34059

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:52.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T13:16:00.940

Modified: 2026-05-04T20:27:04.503

Link: CVE-2026-34059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:30:03Z

Weaknesses