PatchSiren cyber security CVE debrief
CVE-2026-44186 Apache CVE debrief
CVE-2026-44186 is a HIGH severity vulnerability in Apache HTTP Server's mod_proxy_ftp module. The issue is caused by an infinite loop with an unreachable exit condition, which can be triggered by an attacker-controlled backend FTP server. The vulnerability affects Apache HTTP Server versions from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. The CVSS score for this vulnerability is 7.3.
- Vendor
- Apache
- Product
- HTTP Server
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-08
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-08
- Advisory updated
- 2026-06-11
Who should care
Users of Apache HTTP Server versions 2.4.0 through 2.4.67 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by an infinite loop with an unreachable exit condition in the mod_proxy_ftp module of Apache HTTP Server. This can be triggered by an attacker-controlled backend FTP server.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Apache HTTP Server version 2.4.68 or later.
- Refer to [ref-4](https://httpd.apache.org/security/vulnerabilities_24.html) for vendor advisory and mitigation information.
- Refer to [ref-5](http://www.openwall.com/lists/oss-security/2026/06/08/13) for additional information.
Evidence notes
The CVE record [cve-org] and NVD detail [nvd] provide additional information about this vulnerability.
Official resources
-
CVE-2026-44186 CVE record
CVE.org
-
CVE-2026-44186 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
CVE-2026-44186 was published on 2026-06-08T16:16:40.453Z and modified on 2026-06-11T04:01:39.990Z.