oss-sec mailing list archives

CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line


From: Eric Covener <covener () apache org>
Date: Mon, 04 May 2026 14:21:05 +0000

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.66

Description:

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend 
servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Credit:

Haruki Oyama (Waseda University) (finder)
Merih Mengisteab (finder)
Dawit Jeong (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-33523

Timeline:

2026-03-05: reported
2026-05-04: 2.4.67 released
2026-05-04: fixed in 2.4.x by r1933360


Current thread: