CVE-2026-59173 PUBLISHED

Apache Traffic Server: DoS vulnerability in HTTP/2 via stalled flow-control conditions

Assigner: apache
Reserved: 02.07.2026 Published: 18.07.2026 Updated: 18.07.2026

Uncontrolled Resource Consumption vulnerability in Apache Traffic Server.

This issue affects Apache Traffic Server: from 9.0.0 through 9.1.13, from 10.0.0 through 10.1.2.

Users are recommended to upgrade to version 9.1.14 or 10.1.3, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Traffic Server
Versions Default: unaffected
  • affected from 9.0.0 to 9.2.13 (incl.)
  • affected from 10.0.0 to 10.1.2 (incl.)

Credits

  • Okta Red Team reporter

References

Problem Types

  • CWE-400 Uncontrolled Resource Consumption CWE