CVE-2026-33523 PUBLISHED

Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line

Assigner: apache
Reserved: 20.03.2026 Published: 04.05.2026 Updated: 04.05.2026

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • affected from 2.4.0 to 2.4.66 (incl.)

Credits

  • Haruki Oyama (Waseda University) finder
  • Merih Mengisteab finder
  • Dawit Jeong finder

References

Problem Types

  • CWE-443: HTTP response splitting CWE