How is CVE-2026-34356 exploited?

Network reachability (required): The vulnerable code path is reachable over the network, so an attacker must be able to send requests to the Apache HTTP Server instance or control a backend it proxies to. Authentication (not-required): No credentials or account are needed to trigger the overflow; the attack can be initiated by an unauthenticated network peer or a malicious backend response. Victim interaction (not-required): No action from a user or administrator is required to trigger the vulnerability once the attack condition is in place. Attack complexity (info): Attack complexity is low, meaning the overflow can be triggered reliably without relying on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-34356?

Crashes the Apache HTTP Server worker process, taking down request handling for all sites served by that instance. Sustained or repeated exploitation keeps the service unavailable, effectively denying access to any application sitting behind the affected proxy.

Back to search

HIGHCVE-2026-34356Published 2026-06-08Modified 2026-06-08CNA apache

CVE-2026-34356: Apache HTTP Server: ProxyPassReverseCookieMap buffer overflow

Heap-based Buffer Overflow vulnerability in Apache HTTP Server with malicious backend servers and ProxyPassReverseCookie* This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in Apache HTTP Server versions 2.4.0 through 2.4.67, triggered via the ProxyPassReverseCookie directives when the server is proxying to a malicious or compromised backend. The vulnerability is reachable over the network without any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation crashes the Apache HTTP Server process, causing a denial of service. The description references an upstream fix in version 2.4.68, but no fix version has been formally published to advisory feeds yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-34356 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Apache HTTP Server. Coverage applies to any image containing an affected version in the 2.4.0 to 2.4.67 range.

Available

Triage

Triage capability is available with the recorded CVSS score of 7.5 (HIGH), weighted further against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules for the affected workload.

Available

Patch

Because no fix version has been formally published to advisory feeds yet, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a confirmed fix version is released. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as the upstream patch is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is reachable over the network, so an attacker must be able to send requests to the Apache HTTP Server instance or control a backend it proxies to.
AuthenticationNot required
No credentials or account are needed to trigger the overflow; the attack can be initiated by an unauthenticated network peer or a malicious backend response.
Victim interactionNot required
No action from a user or administrator is required to trigger the vulnerability once the attack condition is in place.
Attack complexityDetail
Attack complexity is low, meaning the overflow can be triggered reliably without relying on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Crashes the Apache HTTP Server worker process, taking down request handling for all sites served by that instance.
Sustained or repeated exploitation keeps the service unavailable, effectively denying access to any application sitting behind the affected proxy.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images within minutes of advisory ingestion, flagged at HIGH severity (CVSS 7.5), and routed according to each environment's compliance policy. Because no fix version has been formally published to advisory feeds at this time, HarborGuard monitors the upstream Apache advisory on every ingest cycle. The moment a confirmed fix version is recorded, a patched-image rebuild at that version becomes available automatically. For customers with auto-remediation enabled, this triggers a rebuild, a regression-test run, and a PR opened against affected workloads. In the interim, compensating controls worth considering include isolating affected proxy instances behind a network policy that restricts which backends they can reach, applying egress filtering to prevent connections to untrusted or external backend hosts, and reviewing ProxyPassReverseCookie configuration to determine whether those directives can be temporarily disabled for non-essential routes.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

httpd.apache.org

Metrics

Get notified