Heap-based Buffer Overflow in Apache HTTP Server Mod Proxy AJP
CVE-2026-28780

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-28780?

A heap-based buffer overflow vulnerability exists in the mod_proxy_ajp component of Apache HTTP Server. When this module connects to an untrusted AJP server, it may receive malicious AJP messages that could manipulate memory and cause the application to write data beyond the intended buffer limits. This vulnerability poses a risk of exploitation, allowing attackers potential control over affected systems. Users are urged to update to Apache HTTP Server version 2.4.67 or later to address this issue.

Affected Version(s)

Apache HTTP Server 0 <= 2.4.66

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Mar 3, 2026

Credit

Andrew Lacambra

Elhanan Haenel

Tianshuo Han (<hantianshuo233@gmail.com>)

Tristan Madani

CVE-2026-28780 Data

JSON