Skip to main content

Apache HTTP Server CVE-2026-33523

| EUVDEUVD-2026-26965 MEDIUM
DEPRECATED: HTTP response splitting (CWE-443)
2026-05-04 apache
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 04, 2026 - 17:22 vuln.today
CVSS changed
May 04, 2026 - 17:22 NVD
6.5 (None) 6.5 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26965
Analysis Generated
May 04, 2026 - 15:00 vuln.today
CVE Published
May 04, 2026 - 14:40 nvd
MEDIUM 6.5

DescriptionCVE.org

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

AnalysisAI

HTTP response splitting in Apache HTTP Server 2.4.0 through 2.4.66 allows remote attackers to inject arbitrary HTTP headers and content when the server acts as a proxy to untrusted or compromised backend servers, enabling cache poisoning, session fixation, and cross-site scripting attacks. CVSS 6.5 (moderate) with network attack vector, no authentication required, and confirmed automatable exploitation per CISA SSVC framework. Vendor-released patch: version 2.4.67.

Technical ContextAI

HTTP response splitting (CWE-443) occurs in proxy modules when Apache HTTP Server fails to properly sanitize or validate HTTP response headers originating from backend servers before forwarding them to clients. The vulnerability emerges from insufficient filtering of newline characters (CR/LF sequences) in header values, allowing an attacker controlling a backend server to inject additional headers or even craft a completely separate HTTP response. This is particularly critical in reverse proxy and load-balancing configurations where Apache relays responses from upstream application servers. The issue affects multiple HTTP Server modules responsible for proxy handling and header processing, making it a systematic validation gap rather than isolated to a single component.

RemediationAI

Upgrade to Apache HTTP Server version 2.4.67 immediately. For organizations unable to patch quickly, implement the following compensating controls: (1) Disable or restrict proxy modules (mod_proxy, mod_proxy_http, mod_proxy_fcgi) if not required for operations, eliminating the attack surface; (2) Implement strict input validation at the proxy layer by configuring ModSecurity or equivalent WAF rules to block responses containing unencoded CR/LF sequences in headers before forwarding to clients; note this adds latency and may require custom rule tuning; (3) Isolate backend servers on separate network segments with strict firewall rules limiting their ability to initiate outbound connections, reducing backend compromise risk; (4) Enable response header filtering in reverse proxy configuration to strip or sanitize suspicious headers, though this requires understanding your application's legitimate header set and risks breaking legitimate functionality. See Apache security advisory at https://httpd.apache.org/security/vulnerabilities_24.html for patch verification and deployment guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-33523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy