Apache HTTP Server and Answer: 22 Vulnerabilities Disclosed, Including Critical Flaws
Key findings • 22 vulnerabilities disclosed for Apache HTTP Server and Apache Answer between June 8-10, 2026. • Critical severity flaws (CVSSv3 9.8) include buffer underwrite and use-after-fr…
Key findings
- 22 vulnerabilities disclosed for Apache HTTP Server and Apache Answer between June 8-10, 2026.
- Critical severity flaws (CVSSv3 9.8) include buffer underwrite and use-after-free in Apache HTTP Server.
- Apache HTTP Server version 2.4.68 released to address multiple high and critical severity issues.
- Apache Answer vulnerabilities include path traversal, XSS, and unrestricted file uploads.
- CVE-2026-49975 is part of the 'HTTP/2 Bomb' DoS attack affecting multiple web servers.
- Users of both products are urged to upgrade to patched versions promptly.
The Apache Software Foundation disclosed a substantial collection of 22 vulnerabilities affecting its flagship Apache HTTP Server and the Apache Answer Q&A platform between June 8 and June 10, 2026. The disclosures include several critical and high-severity flaws, impacting various modules and features within the widely used web server and the Answer application.
The Apache HTTP Server was the most heavily impacted, with 13 vulnerabilities addressed. Among these, CVE-2026-44631 and CVE-2026-29167 stand out with Critical severity (CVSSv3 9.8), stemming from buffer underwrite and use-after-free issues respectively. CVE-2026-44631 is related to crafted regular expressions in the server's configuration, while CVE-2026-29167 affects the mod_ldap module in per-directory configurations. Other high-severity flaws in the HTTP Server include denial-of-service (DoS) vulnerabilities like CVE-2026-49975, which is part of the 'HTTP/2 Bomb' attack, and various buffer overflow and use-after-free conditions.
Several of the Apache HTTP Server vulnerabilities were patched in version 2.4.68. Specifically, CVE-2026-44631, CVE-2026-44186, CVE-2026-44185, CVE-2026-44119, CVE-2026-42536, CVE-2026-42535, CVE-2026-34356, CVE-2026-34355, CVE-2026-29170, and CVE-2026-29167 are all addressed in this release, which covers versions from 2.4.0 through 2.4.67. The 'HTTP/2 Bomb' vulnerability, CVE-2026-49975, which can lead to denial of service via malicious HTTP requests, also affects versions from 2.4.17 through 2.4.67 and is fixed in 2.4.68. Cyber Security News
The Apache Answer Q&A platform saw nine vulnerabilities disclosed, all affecting versions up to 2.0.0. These range in severity from Medium (CVSSv3 6.5) to High (CVSSv3 8.1). Notable among these is CVE-2026-41731, a high-severity flaw in JsonKafkaHeaderMapper and DefaultKafkaHeaderMapper related to trusted package prefix checks, which could allow for deserialization of untrusted data when combined with Jackson's default bean deserialization. Other issues in Apache Answer include path traversal in the Samba provider's GCSToSambaOperator (CVE-2026-49818), exposure of sensitive information via unlisted question features (CVE-2026-34905), and cross-site scripting (XSS) vulnerabilities in notification emails and AI-generated responses (CVE-2026-34033, CVE-2026-25688).
Further vulnerabilities in Apache Answer include unrestricted uploads of dangerous file types, such as a crafted TIFF image that could cause a server crash (CVE-2026-33582), and the ability for authenticated users to embed arbitrary external content as profile images (CVE-2026-34031). Additionally, timeline-related APIs lacked proper authorization checks, allowing regular users to access deleted or private content (CVE-2026-25699).
The coordinated disclosure highlights ongoing security challenges across Apache's diverse product ecosystem. Users of both Apache HTTP Server and Apache Answer are strongly advised to review the specific CVE details and apply the necessary patches or upgrades as soon as possible to mitigate the risks associated with these vulnerabilities. The Apache HTTP Server 2.4.68 release appears to be the primary fix for the majority of the HTTP Server vulnerabilities disclosed.
This batch of vulnerabilities underscores the importance of timely patching and staying informed about security advisories from vendors like the Apache Software Foundation. The range of issues, from denial-of-service to information exposure and code execution, demonstrates the multifaceted threats that can arise from complex software components.