Infinite Loop Vulnerability in Apache HTTP Server's mod_proxy_ftp Module
CVE-2026-44186

7.3HIGH

Key Information:

Vendor

Apache

Vendor
CVE Published:
8 June 2026

What is CVE-2026-44186?

A vulnerability exists in the mod_proxy_ftp module of the Apache HTTP Server, allowing for the potential occurrence of an infinite loop during processing requests from attackers controlling backend FTP servers. This issue affects various versions of the server up to 2.4.67. Users are strongly advised to upgrade to version 2.4.68 or later to mitigate this issue. This vulnerability can lead to denial of service conditions, impacting server performance and availability.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.67

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zhenpeng (Leo) Lin at depthfirst
.