CVE-2026-29170 Overview
CVE-2026-29170 is a cross-site scripting (XSS) vulnerability in the mod_proxy_ftp module of Apache HTTP Server. The flaw resides in the HTML directory listing generation logic used when Apache proxies FTP directory contents through either a forward or reverse proxy configuration. Apache HTTP Server versions 2.4.67 and earlier are affected, and the Apache Software Foundation has released version 2.4.68 to remediate the issue. The vulnerability is classified under CWE-79, Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can inject arbitrary script into proxied FTP directory listings, executing JavaScript in the context of the Apache HTTP Server origin and enabling session theft, credential capture, or further client-side attacks.
Affected Products
- Apache HTTP Server 2.4.67 and all earlier 2.4.x releases
- Deployments using mod_proxy_ftp as a forward proxy to FTP backends
- Deployments using mod_proxy_ftp as a reverse proxy fronting FTP servers
Discovery Timeline
- 2026-06-08 - CVE-2026-29170 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-29170
Vulnerability Analysis
The mod_proxy_ftp module enables Apache HTTP Server to proxy requests to upstream FTP servers and render FTP directory contents as HTML pages for browser clients. During this rendering process, the module incorporates file and directory names returned by the upstream FTP server directly into the generated HTML response.
Values sourced from the FTP server, such as file names containing HTML metacharacters, are not adequately neutralized before insertion into the directory listing markup. An attacker who controls or influences file names on a reachable FTP server can plant entries containing script payloads. When a user retrieves the directory listing through the Apache proxy, the browser parses and executes those payloads under the proxy's origin.
The scope is changed because the injected script executes in the security context of the Apache HTTP Server origin rather than the FTP backend. User interaction is required because a victim must navigate to the proxied directory listing.
Root Cause
The root cause is insufficient output encoding of attacker-controlled FTP metadata when mod_proxy_ftp constructs HTML directory listings. File names, link targets, and related attributes are emitted into HTML without escaping characters such as <, >, ", and '. This allows arbitrary HTML and JavaScript tokens supplied by an upstream FTP server to break out of their intended textual context.
Attack Vector
Exploitation is network based and requires victim interaction. An attacker first stages malicious file or directory names on an FTP server reachable through the vulnerable Apache proxy. In forward proxy scenarios the attacker controls the destination FTP server. In reverse proxy scenarios the attacker needs write access, anonymous upload, or otherwise influence over names on the backend FTP service.
The attacker then induces a victim to load the proxied FTP directory URL, for example through a phishing link. When Apache renders the listing, the malicious markup is delivered to the browser and executed under the proxy's origin. This enables session cookie theft, CSRF against other applications hosted on the same origin, and arbitrary actions on behalf of the user.
No verified public exploitation code is available. Technical discussion is referenced in the Openwall OSS-Security thread.
Detection Methods for CVE-2026-29170
Indicators of Compromise
- Apache access_log entries containing requests to FTP-proxied paths followed by suspicious query strings or referrers from untrusted domains
- FTP directory listings returned by the proxy containing HTML tags such as <script>, <img onerror=, or <svg onload= inside file name fields
- Outbound FTP control channel responses (LIST/NLST) where file names include angle brackets, quotes, or javascript: schemes
- Browser Content Security Policy (CSP) violation reports originating from mod_proxy_ftp-served URLs
Detection Strategies
- Inspect Apache configuration for ProxyPass and ProxyPassReverse directives referencing ftp:// schemes, and inventory hosts running mod_proxy_ftp
- Deploy a web application firewall rule that flags HTML responses from FTP proxy endpoints containing script tags or event handler attributes inside <a> link text
- Correlate FTP server file enumeration events with Apache proxy response sizes and content patterns to identify weaponized listings
- Search package inventories for Apache HTTP Server installations at version 2.4.67 or earlier using OS package managers or SBOM data
Monitoring Recommendations
- Enable verbose mod_proxy logging and forward Apache logs to a centralized logging platform for retention and search
- Alert on any HTTP 200 response from FTP proxy URIs whose body contains executable HTML constructs in directory entries
- Monitor FTP backends for file creation events with names containing HTML or JavaScript syntax characters
How to Mitigate CVE-2026-29170
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.68 or later, which contains the official fix from the Apache Software Foundation
- If immediate patching is not feasible, disable mod_proxy_ftp by commenting out its LoadModule directive and restarting httpd
- Audit httpd.conf and included virtual host files for ProxyPass rules that target ftp:// URLs and remove any that are not business critical
- Review FTP backends fronted by Apache for unexpected files whose names contain HTML metacharacters and remove them
Patch Information
Apache HTTP Server 2.4.68 fixes CVE-2026-29170 by properly encoding FTP-supplied metadata before inserting it into generated HTML directory listings. Refer to the Apache HTTP Server 2.4 vulnerabilities page for the official advisory and patch references. Distribution-specific updates are typically available through vendor package repositories such as apt, dnf, and zypper.
Workarounds
- Unload mod_proxy_ftp entirely if FTP proxying is not required
- Restrict access to FTP proxy URLs using Require ip or authentication to limit exposure to trusted users
- Place a reverse proxy or WAF in front of Apache that strips or escapes HTML metacharacters in FTP listing responses
- Deploy a strict Content Security Policy on the affected virtual host to block inline script execution
# Configuration example: disable mod_proxy_ftp until patching is complete
# /etc/httpd/conf.modules.d/00-proxy.conf
# LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# Verify the module is no longer loaded
httpd -M 2>/dev/null | grep -i proxy_ftp
# Restart Apache to apply changes
systemctl restart httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

