How is CVE-2026-44186 exploited?

Network reachability (required): The attacker must reach the Apache HTTP Server's FTP proxy interface over the network, or control a backend FTP server that the proxy connects to. Authentication (not-required): No credentials are needed to trigger the vulnerable code path; the attack can be launched without any account on the target system. Victim interaction (not-required): No user action is required; the attacker initiates the exploit entirely by controlling the backend FTP server responses. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or specific environmental configuration.

What is the impact of CVE-2026-44186?

An attacker causes an Apache worker process to enter an infinite loop, hanging that worker and degrading or fully blocking request handling for the proxied service. With a CVSS confidentiality impact of Low, the attacker reads a limited subset of proxied FTP data or HTTP response content passing through the affected module. With a CVSS integrity impact of Low, the attacker is able to make limited modifications to proxied FTP transactions in transit. Repeated triggering of the loop exhausts the available Apache worker pool, taking the proxy endpoint offline for legitimate users.

Back to search

HIGHCVE-2026-44186Published 2026-06-08Modified 2026-06-09CNA apache

CVE-2026-44186: Apache HTTP Server: Loop in `proxy_ftp_handler` in mod_proxy_ftp

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An infinite loop vulnerability exists in the mod_proxy_ftp module of Apache HTTP Server versions 2.4.0 through 2.4.67. An attacker who controls a backend FTP server can trigger the loop remotely, with no authentication required, by sending crafted FTP responses through the proxy. Successful exploitation causes the affected Apache worker process to hang indefinitely, disrupting service availability and also allowing limited reads and writes against the proxied connection. Although Apache recommends upgrading to 2.4.68, no fix version has been formally published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment the upstream fix is confirmed.

HarborGuard Coverage

Detection

Detection for CVE-2026-44186 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache HTTP Server with mod_proxy_ftp enabled.

Available

Triage

HarborGuard scores this CVE at CVSS 7.3 HIGH and is capable of weighting that score against each environment's compliance policy to prioritize routing; alerts can be directed to the appropriate team inbox within each customer organization based on configured policy.

Available

Patch

Because no fix version has been formally published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Apache publishes a confirmed fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Apache HTTP Server's FTP proxy interface over the network, or control a backend FTP server that the proxy connects to.
AuthenticationNot required
No credentials are needed to trigger the vulnerable code path; the attack can be launched without any account on the target system.
Victim interactionNot required
No user action is required; the attacker initiates the exploit entirely by controlling the backend FTP server responses.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or specific environmental configuration.

Blast Radius

An attacker causes an Apache worker process to enter an infinite loop, hanging that worker and degrading or fully blocking request handling for the proxied service.
With a CVSS confidentiality impact of Low, the attacker reads a limited subset of proxied FTP data or HTTP response content passing through the affected module.
With a CVSS integrity impact of Low, the attacker is able to make limited modifications to proxied FTP transactions in transit.
Repeated triggering of the loop exhausts the available Apache worker pool, taking the proxy endpoint offline for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-44186 is active across all scanned environments today, matching any image that includes Apache HTTP Server 2.4.0 through 2.4.67. Because Apache has not yet formally published the 2.4.68 fix package, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every feed ingest cycle; the moment an upstream fix is confirmed, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive an automatic rebuild, regression test run, and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include applying Apache network policy to restrict which backend FTP servers the proxy is permitted to contact, using egress filtering to block connections to untrusted FTP endpoints, and disabling mod_proxy_ftp entirely if FTP proxying is not required in the affected environment.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache HTTP Server
≤ 2.4.67

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

httpd.apache.org

Metrics

Get notified