CVE-2026-29167
It was discovered that Apache HTTP Server's mod_ldap module incorrectly handled memory when processing per-directory configurations. An attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-29167) It was discovered that Apache HTTP Server's mod_proxy_ftp module incorrectly handled HTML generation for FTP directory listings. A remote attacker could possibly use this issue to inject arbitrary web script or HTML. (CVE-2026-29170) It was discovered that Apache HTTP Server's mod_proxy_html module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34355) It was discovered that Apache HTTP Server incorrectly handled ProxyPassReverseCookie directives with a malicious backend server. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34356) It was discovered that Apache HTTP Server's mod_dav_fs module incorrectly handled certain path operations. An authenticated user could possibly use this issue to manipulate trusted WebDAV property databases or cause a denial of service. (CVE-2026-42535) It was discovered that Apache HTTP Server's mod_xml2enc module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-42536) It was discovered that Apache HTTP Server incorrectly handled response headers when multiple content languages were configured. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43951) It was discovered that Apache HTTP Server incorrectly restricted certain file functions in expressions within .htaccess files. A local attacker with .htaccess write access could possibly use this issue to obt
CSIRTS triage
- What
- Multiple vulnerabilities could lead to server crashes or arbitrary code execution.
- Who is affected
- Users of Apache HTTP Server.
- Urgency
- Remediation is important due to the potential for exploitation.
- Action
- Update to the latest version of Apache HTTP Server.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-29167
Get an email if CVE-2026-29167 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.66% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 47% of all EPSS-scored CVEs.
Advisory coverage (3)
- high[UPDATE] [high] Apache HTTP Server: Multiple vulnerabilitiescert-bund · 2026-07-09
- unknownUSN-8516-1: Apache HTTP Server vulnerabilitiesubuntu · 2026-07-08
- highCVE-2026-29167: Apache HTTP Server: mod_ldap per-dir use-after-freemsrc · 2026-06-09
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-29167)