Apache HTTP Server: mod_dav_fs protected directory access
CVE-2026-42535

9.1CRITICAL

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-42535?

A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes.

Users are recommended to upgrade to version 2.4.68, which fixes this issue.

Affected Version(s)

Apache HTTP Server 0 <= 2.4.67

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
Apr 28, 2026

Credit

Zhenpeng (Leo) Lin at depthfirst

CVE-2026-42535 Data

JSON