Apache HTTP Server 2.4.6 is running on 697 websites worldwide, but it's harboring a dangerous secret: 37 known vulnerabilities, including 4 critical-severity flaws that could expose your server to complete compromise. These aren't theoretical risks—they're actively exploited by attackers targeting outdated web servers. If your website is still running Apache 2.4.6, you're sitting on a cybersecurity time bomb.
The most alarming vulnerabilities include script execution attacks through mod_rewrite, information disclosure via malicious response headers, heap-based buffer overflows in mod_proxy_ajp, and TLS 1.3 session resumption bypass attacks. Each one could allow attackers to execute code on your server, steal sensitive data, or bypass your security controls entirely.
In this comprehensive guide, we'll show you exactly how to identify if you're vulnerable, understand the real-world impact of these flaws, and execute a safe upgrade strategy to protect your infrastructure. Don't wait until it's too late—your server's security depends on taking action today.
Apache HTTP Server is the world's most popular web server software, powering approximately 30% of all websites on the internet. It's an open-source application that handles the critical task of receiving visitor requests and serving web pages, applications, and content to your users. Version 2.4.6 was released in 2013 and has been widely deployed across enterprise and small business environments due to its reliability and flexibility.
Apache's longevity and widespread adoption are double-edged swords. While the software itself is robust and well-documented, running outdated versions like 2.4.6 means missing years of security patches and improvements. The longer your server runs an old version, the more likely attackers have discovered and weaponized its vulnerabilities. Think of it like leaving your front door locked with a key from 2013—while it may have worked then, security experts have since discovered multiple ways to pick that exact lock.
37 CVEs found. The most critical are explained below.
Apache has a flaw where attackers can run scripts that are hidden from normal website access. These scripts were meant to be protected, but the vulnerability allows attackers to find and execute them anyway.
Impact: An attacker could run malicious code on your server, potentially stealing data, modifying your website, or taking control of your server.
↗ View on NVDApache's core can be manipulated through malicious responses from connected servers or applications. This allows attackers to expose sensitive information, access other systems, or run unauthorized code.
Impact: Sensitive data like database credentials or customer information could be exposed, or attackers could use your server to attack other systems.
↗ View on NVDA memory protection flaw exists in Apache's proxy module. If your server connects to a malicious external server, that server can corrupt your server's memory and inject malicious data.
Impact: Server crash, data corruption, or complete server compromise allowing attackers full control.
↗ View on NVDIn certain SSL configurations with multiple websites, attackers with a valid certificate for one website can gain unauthorized access to other websites through a loophole in the security handshake.
Impact: Attackers could access restricted areas of your website or other hosted websites without proper authorization.
↗ View on NVDWebsite administrators who create .htaccess configuration files can accidentally read sensitive files belonging to the web server itself, accessing data they shouldn't have permission to see.
Impact: Sensitive server files, database credentials, and other confidential information could be accessed by website administrators.
↗ View on NVDShowing first 10 of 31. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2026-23918 | HIGH | 8.8 | 2026-05-04 | Double Free and possible RCE vulnerability in Apache HTTP Server with the HTTP/2 protocol. This issue affects Apache HTTP Server: 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2025-58098 | HIGH | 8.3 | 2025-12-05 | Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. … |
| CVE-2024-38473 | HIGH | 8.1 | 2024-07-01 | Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentica… |
| CVE-2024-38472 | HIGH | 7.5 | 2024-07-01 | SSRF in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to … |
| CVE-2024-38477 | HIGH | 7.5 | 2024-07-01 | null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. Users are recommended to upgrade to … |
| CVE-2024-39573 | HIGH | 7.5 | 2024-07-01 | Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. User… |
| CVE-2024-40898 | HIGH | 7.5 | 2024-07-18 | SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. User… |
| CVE-2024-42516 | HIGH | 7.5 | 2025-07-10 | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server c… |
| CVE-2024-43204 | HIGH | 7.5 | 2025-07-10 | SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where … |
| CVE-2024-43394 | HIGH | 7.5 | 2025-07-10 | Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass u… |
| CVE-2024-47252 | HIGH | 7.5 | 2025-07-10 | Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in so… |
| CVE-2025-53020 | HIGH | 7.5 | 2025-07-10 | Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to up… |
| CVE-2025-55753 | HIGH | 7.5 | 2025-12-05 | An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempt… |
| CVE-2025-59775 | HIGH | 7.5 | 2025-12-05 | Server-Side Request Forgery (SSRF) vulnerability in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to… |
| CVE-2026-34059 | HIGH | 7.5 | 2026-05-04 | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the … |
| CVE-2026-29169 | HIGH | 7.5 | 2026-05-04 | A NULL pointer dereference in mod_dav_lock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.mod_dav_lock is not used int… |
| CVE-2025-49812 | HIGH | 7.4 | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via… |
| CVE-2026-29168 | HIGH | 7.3 | 2026-05-05 | Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 thro… |
| CVE-2025-65082 | MEDIUM | 6.5 | 2025-12-05 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly super… |
| CVE-2026-33523 | MEDIUM | 6.5 | 2026-05-04 | HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.… |
| CVE-2015-1833 | MEDIUM | 6.4 | 2015-05-29 | XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.… |
| CVE-2025-54090 | MEDIUM | 6.3 | 2025-07-23 | A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. |
| CVE-2024-39884 | MEDIUM | 6.2 | 2024-07-04 | A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under som… |
| CVE-2025-66200 | MEDIUM | 5.4 | 2025-12-05 | mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scrip… |
| CVE-2019-17567 | MEDIUM | 5.3 | 2021-06-10 | Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regard… |
| CVE-2024-40725 | MEDIUM | 5.3 | 2024-07-18 | A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar confi… |
| CVE-2026-33857 | MEDIUM | 5.3 | 2026-05-04 | Out-of-bounds Read vulnerability in mod_proxy_ajp of Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4… |
| CVE-2026-34032 | MEDIUM | 5.3 | 2026-05-04 | Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to ver… |
| CVE-2026-33007 | MEDIUM | 5.3 | 2026-05-04 | A NULL pointer dereference in the mod_authn_socache in Apache HTTP Server 2.4.66 and earlier allows an unauthenticated remote user to crash a child process in a caching forward pr… |
| CVE-2026-33006 | MEDIUM | 4.8 | 2026-05-04 | A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.… |
| CVE-2013-4352 | MEDIUM | 4.3 | 2014-07-20 | The cache_invalidate function in modules/cache/cache_storage.c in the mod_cache module in the Apache HTTP Server 2.4.6, when a caching forward proxy is enabled, allows remote HTTP… |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
Running Apache 2.4.6 in 2024 is like driving a car with expired brakes—you might get away with it for a while, but the consequences of failure are catastrophic. The four critical vulnerabilities alone could allow attackers to execute arbitrary code, steal confidential information, and completely compromise your server's integrity. The fact that 697 websites are still running this ancient version suggests many administrators are unaware of the risks or are postponing necessary upgrades.
Your business's security, your users' privacy, and your reputation depend on keeping your web infrastructure current. SiteRecipe.com offers free vulnerability scanning and personalized upgrade guidance to help you move from Apache 2.4.6 to a secure, modern version with confidence. Start with our free security assessment today—identify your vulnerabilities, understand your specific risks, and get a custom remediation plan. Don't become another breach statistic. Upgrade your Apache server now with SiteRecipe.com's expert support.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.