CVE-2026-28780 PUBLISHED

Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()

Assigner: apache
Reserved: 03.03.2026 Published: 05.05.2026 Updated: 05.05.2026

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer.

This issue affects Apache HTTP Server: through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache HTTP Server
Versions	Default: unaffected affected from 0 to 2.4.66 (incl.)

Credits

Andrew Lacambra finder
Elhanan Haenel finder
Tianshuo Han (<hantianshuo233@gmail.com>) finder
Tristan Madani finder

References

https://httpd.apache.org/security/vulnerabilities_24.html

Problem Types

CWE-122 Heap-based Buffer Overflow CWE