PatchSiren cyber security CVE debrief
CVE-2026-44185 Apache CVE debrief
CVE-2026-44185 is a Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server. This issue affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 7.3, with a severity rating of HIGH.
- Vendor
- Apache
- Product
- HTTP Server
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-11
Who should care
Users of Apache HTTP Server versions from 2.4.0 through 2.4.67 should upgrade to version 2.4.68 to fix the issue.
Technical summary
The vulnerability is caused by a buffer over-read in the Apache HTTP Server when making outbound OCSP requests to an attacker-controlled OCSP server. This can lead to information disclosure and potentially allow an attacker to gain further access to the system.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Apache HTTP Server version 2.4.68 or later.
- Review and update configurations to ensure that OCSP requests are not sent to untrusted servers.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information and mitigation guidance can be found at [ref-4] and [ref-5].
Official resources
-
CVE-2026-44185 CVE record
CVE.org
-
CVE-2026-44185 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-44185 was published on 2026-06-08T16:16:40.327Z and modified on 2026-06-11T04:01:27.747Z.