oss-security - CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <ce4b907b-4ee1-fad1-488a-b8cac997c813@apache.org>
Date: Mon, 04 May 2026 14:21:05 +0000
From: Eric Covener <covener@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-33523: Apache HTTP Server: multiple modules: HTTP
 response splitting forwarding malicious status line 

Severity: low 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.66

Description:

HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers.

This issue affects Apache HTTP Server: from through 2.4.66.

Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Credit:

Haruki Oyama (Waseda University) (finder)
Merih Mengisteab (finder)
Dawit Jeong (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-33523

Timeline:

2026-03-05: reported
2026-05-04: 2.4.67 released
2026-05-04: fixed in 2.4.x by r1933360

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.