How is CVE-2026-34355 exploited?

Network reachability (required): The vulnerable module is exposed over the network; an attacker must be able to send requests to the Apache HTTP Server instance or control a backend that returns responses to it. Authentication (not-required): No credentials or account of any kind are needed to trigger the overflow, either from an external client or from an untrusted backend. Victim interaction (not-required): Exploitation is fully server-side; no user needs to click a link or take any action for the attack to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental variables.

What is the impact of CVE-2026-34355?

The affected Apache HTTP Server worker process crashes, taking down request handling for all connections it was serving at the time. Repeated exploitation can keep the server unavailable, causing a sustained denial of service for all traffic routed through the proxy. No confidential data is read and no stored data is modified; the impact is limited entirely to availability.

Back to search

HIGHCVE-2026-34355Published 2026-06-08Modified 2026-06-08CNA apache

CVE-2026-34355: Apache HTTP Server: mod_proxy_html buffer overflow

A buffer overflow in mod_proxy_html in Apache HTTP Server 2.4.67 and earlier allows an attack by an untrusted backend. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A buffer overflow in mod_proxy_html, part of Apache HTTP Server 2.4.67 and earlier, is reachable over the network without any authentication. An untrusted backend can trigger the overflow by sending crafted HTML content through the proxy module. Successful exploitation causes a denial of service by crashing the affected server process. HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an official fix version is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream Apache and NVD feeds within minutes of publication and matched against all customer images, including custom-built images derived from Apache HTTP Server base layers. Any image running Apache HTTP Server 2.4.67 or earlier with mod_proxy_html present is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the Apache and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available the moment an official fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable module is exposed over the network; an attacker must be able to send requests to the Apache HTTP Server instance or control a backend that returns responses to it.
AuthenticationNot required
No credentials or account of any kind are needed to trigger the overflow, either from an external client or from an untrusted backend.
Victim interactionNot required
Exploitation is fully server-side; no user needs to click a link or take any action for the attack to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental variables.

Blast Radius

The affected Apache HTTP Server worker process crashes, taking down request handling for all connections it was serving at the time.
Repeated exploitation can keep the server unavailable, causing a sustained denial of service for all traffic routed through the proxy.
No confidential data is read and no stored data is modified; the impact is limited entirely to availability.

How HarborGuard Handles This

Available on HarborGuard: any image running Apache HTTP Server 2.4.67 or earlier is flagged by the detection pipeline as soon as the CVE is ingested. Because Apache has not yet published a fixed release, no patched rebuild is available at this time; HarborGuard monitors the advisory on every ingest cycle and will generate a patched rebuild automatically the moment 2.4.68 or a later fix version appears upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include isolating the proxy tier behind a network policy that restricts which backends can return responses to mod_proxy_html, applying egress filtering to prevent untrusted backend connections, and disabling mod_proxy_html where HTML rewriting is not strictly required by application function.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

httpd.apache.org

Metrics

Get notified