Back to search

Apache Software Foundation

Apache HTTP Server

See the latest tracked release, confirm when it was published, and subscribe for update emails.

Current version
Last checked: 2026-06-03

2.4.67

Release date
May 04, 2026
Security status
6 high-severity CVEs tracked in the last 90 days. Current version not affected.

Source

GitHub API

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
2.4.67 2026-05-04 Release Notes
2.4.66 2025-12-04 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-28780 CRITICAL (9.8) 2026-05-05 Current versionnot affected

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected versions
  • Up to (excluding) 2.4.67
CVE-2026-29168 HIGH (7.3) 2026-05-05 Current versionnot affected

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's  mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected versions
  • From (including) 2.4.30 - Up to (excluding) 2.4.67
CVE-2026-29169 HIGH (7.5) 2026-05-04 Current versionnot affected

A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used internally by mod_dav or mod_dav_fs. The only known use-case for mod_dav_lock was mod_dav_svn from Apache Subversion earlier than version 1.2.0. Users are recommended to upgrade to version 2.4.66, which fixes this issue, or remove mod_dav_lock.

Affected versions
  • Up to (excluding) 2.4.67
CVE-2026-23918 HIGH (8.8) 2026-05-04 Current versionnot affected

Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected versions
  • 2.4.66
CVE-2026-34059 HIGH (7.5) 2026-05-04 Current versionnot affected

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Affected versions
  • Up to (excluding) 2.4.67
CVE-2026-24072 HIGH (8.8) 2026-05-04 Current versionnot affected

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Affected versions
  • Up to (excluding) 2.4.67
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice