How is CVE-2026-42535 exploited?

Network reachability (required): The vulnerable mod_dav_fs endpoint is exposed over the network, meaning an attacker must be able to send HTTP or WebDAV requests to the server. Authentication (not-required): No credentials are needed; the CVSS vector specifies PR:N, so any unauthenticated client can attempt exploitation. Victim interaction (not-required): The attack is fully server-side; no user or administrator needs to click, open, or approve anything for exploitation to succeed. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

What is the impact of CVE-2026-42535?

Attacker writes or overwrites DAV property database files in directories that should be protected, corrupting stored WebDAV metadata. Attacker triggers crashes in Apache HTTP Server child processes, degrading or fully disrupting service availability for all clients hitting the affected instance. Persistent corruption of DAV property stores can cause follow-on failures in any application or workflow that relies on WebDAV properties stored by mod_dav_fs.

Back to search

CRITICALCVE-2026-42535Published 2026-06-08Modified 2026-06-09CNA apache

CVE-2026-42535: Apache HTTP Server: mod_dav_fs protected directory access

A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass and path-handling flaw in mod_dav_fs in Apache HTTP Server 2.4.67 and earlier allows a remote, unauthenticated attacker to directly manipulate trusted DAV property databases. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation lets an attacker corrupt or overwrite DAV property stores and crash Apache child processes, causing service disruption and data tampering. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache HTTP Server. Any image carrying Apache HTTP Server 2.4.67 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and weights it against each environment's compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Apache releases a corrected package. Until then, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable mod_dav_fs endpoint is exposed over the network, meaning an attacker must be able to send HTTP or WebDAV requests to the server.
AuthenticationNot required
No credentials are needed; the CVSS vector specifies PR:N, so any unauthenticated client can attempt exploitation.
Victim interactionNot required
The attack is fully server-side; no user or administrator needs to click, open, or approve anything for exploitation to succeed.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

Attacker writes or overwrites DAV property database files in directories that should be protected, corrupting stored WebDAV metadata.
Attacker triggers crashes in Apache HTTP Server child processes, degrading or fully disrupting service availability for all clients hitting the affected instance.
Persistent corruption of DAV property stores can cause follow-on failures in any application or workflow that relies on WebDAV properties stored by mod_dav_fs.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this Critical-severity issue, HarborGuard continuously monitors the Apache advisory on every ingest cycle and will surface a patched-image rebuild automatically as soon as Apache HTTP Server 2.4.68 or a successor release is available. In the interim, customers can use HarborGuard's policy engine to enforce a block or warn gate on any image that includes Apache HTTP Server 2.4.67 or earlier, preventing affected images from being promoted to production. Additional compensating controls include applying network-policy isolation to restrict WebDAV-enabled endpoints to known trusted sources, enabling egress filtering on containers running the affected server, and disabling mod_dav_fs via configuration if WebDAV authoring is not required. For customers with auto-remediation enabled, a rebuild and regression run will be triggered and a PR opened against affected workloads the moment the upstream fix is confirmed ingested.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

httpd.apache.org

Metrics

Get notified