Remote code execution flaws patched in Apache HTTP Server and MINA frameworks

First reported

05.05.2026 14:19

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Apache released security updates on May 5, 2026 addressing multiple vulnerabilities across Apache HTTP Server 2.4.67 and MINA 2.2.7/2.1.12, including critical and high-severity issues enabling remote code execution (RCE), denial-of-service (DoS), information disclosure, and authentication bypass. The HTTP Server patch addresses 11 vulnerabilities, with five enabling code execution or DoS conditions and four allowing information disclosure. The MINA update resolves two critical-sequence flaws stemming from incomplete fixes in prior releases, requiring explicit class allowlisting for the ObjectSerializationDecoder to prevent insecure deserialization attacks.

Timeline

05.05.2026 14:19 1 articles · 15h ago

Apache releases security updates for HTTP Server and MINA with critical RCE fixes
Apache released HTTP Server 2.4.67 and MINA 2.2.7/2.1.12 on May 5, 2026, addressing 11 and 2 vulnerabilities respectively. The HTTP Server patch mitigates HTTP/2 double-free (CVE-2026-23918), AJP heap overflow (CVE-2026-28780), and multiple DoS/information disclosure issues. MINA fixes include critical insecure deserialization (CVE-2026-42778) and allowlist bypass (CVE-2026-42779) flaws requiring explicit class allowlisting for ObjectSerializationDecoder instances.
Show sources

Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
Open in new tab

Information Snippets

Apache HTTP Server 2.4.67 patches 11 vulnerabilities, 10 of which affect all prior releases.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-23918 in Apache HTTP Server is a double-free vulnerability in HTTP/2 protocol handling, enabling DoS and potential RCE via early reset triggers.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-28780 in Apache HTTP Server is a heap buffer overflow in AJP message processing that allows remote attackers to cause DoS and execute code.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
Five additional Apache HTTP Server vulnerabilities (CVE-2026-29168, CVE-2026-29169, CVE-2026-33007, CVE-2026-24072, CVE-2026-33857) lead to DoS or information disclosure.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-33523 in Apache HTTP Server is an improper neutralization of CRLF sequences flaw enabling HTTP response manipulation.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-33006 in Apache HTTP Server is a timing side-channel weakness allowing Digest authentication bypass.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
Apache MINA 2.2.7 and MINA 2.1.12 patch two critical-severity vulnerabilities (CVE-2026-42778 and CVE-2026-42779) stemming from incomplete fixes for prior insecure deserialization and allowlist bypass flaws.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-42778 in MINA is an incomplete fix for CVE-2026-41409, which itself was an incomplete fix for CVE-2024-52046, an insecure deserialization flaw enabling RCE.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
CVE-2026-42779 in MINA is an incomplete fix for CVE-2026-41635, an improper check flaw enabling allowlist bypass and code execution.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19
Post-upgrade mitigation for MINA requires explicitly allowing classes in the ObjectSerializationDecoder instance to prevent insecure deserialization.
First reported: 05.05.2026 14:19

1 source, 1 article
Show sources
- Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server — www.securityweek.com — 05.05.2026 14:19

Summary

Timeline

Apache releases security updates for HTTP Server and MINA with critical RCE fixes

Information Snippets