CVE-2026-28780: Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()

[Eric Covener <covener () apache org>]

Severity: low 

Affected versions:

- Apache HTTP Server through 2.4.66

Description:

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server.
If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to 
mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Credit:

Andrew Lacambra (finder)
Elhanan Haenel (finder)
Tianshuo Han (<hantianshuo233 () gmail com>) (finder)
Tristan Madani (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-28780

Timeline:

2026-02-04: reported
2026-03-18: reported by 3rd finder
2026-02-28: reported by 2nd finder