CVE-2026-33857 Overview
CVE-2026-33857 is an out-of-bounds read vulnerability [CWE-125] in the mod_proxy_ajp module of Apache HTTP Server. The flaw affects all Apache HTTP Server releases through version 2.4.66. Attackers can trigger the issue remotely over the network without authentication or user interaction. Successful exploitation results in limited information disclosure from server memory, with no impact on integrity or availability. The Apache HTTP Server Project recommends upgrading to version 2.4.67, which contains the fix.
Critical Impact
Unauthenticated remote attackers can read out-of-bounds memory via crafted requests processed by mod_proxy_ajp, potentially exposing sensitive process memory contents.
Affected Products
- Apache HTTP Server versions through 2.4.66
- Deployments using the mod_proxy_ajp module to reverse-proxy to AJP backends (such as Apache Tomcat)
- Any platform shipping affected httpd builds with mod_proxy_ajp enabled
Discovery Timeline
- 2026-05-04 - CVE-2026-33857 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-33857
Vulnerability Analysis
The vulnerability resides in mod_proxy_ajp, the Apache HTTP Server module that forwards requests to backend application servers using the Apache JServ Protocol (AJP). An out-of-bounds read occurs when the module processes specific request data and reads beyond the bounds of an allocated buffer. The flaw is classified under [CWE-125] Out-of-bounds Read.
The attack vector is network-based and requires no privileges or user interaction. Exploitation impacts only confidentiality, allowing an attacker to retrieve fragments of adjacent process memory. There is no direct path to code execution or service disruption from this issue alone.
Deployments most exposed are those running httpd as a reverse proxy to Tomcat or other AJP-speaking application servers. The EPSS probability is approximately 0.103% as of 2026-05-07, indicating low near-term exploitation likelihood.
Root Cause
The root cause is missing or insufficient bounds validation in the AJP request handling path of mod_proxy_ajp. When parsing or forwarding AJP message fields, the module dereferences memory past the end of a valid buffer. Disclosed bytes may include data from prior requests, configuration material, or other process state held in httpd worker memory.
Attack Vector
A remote attacker sends a crafted HTTP request that is routed through a ProxyPass or equivalent directive to an AJP backend. The malformed request triggers the boundary error inside mod_proxy_ajp, causing the module to read beyond intended buffer limits. The leaked bytes are returned through normal proxy response paths or surfaced in error conditions, depending on configuration.
No verified public proof-of-concept code is available. Refer to the Apache HTTPD Vulnerabilities List and the Openwall OSS-Security Discussion for technical details as they become available.
Detection Methods for CVE-2026-33857
Indicators of Compromise
- Unusual or malformed HTTP requests routed to AJP backends through mod_proxy_ajp, particularly with abnormal header sizes or unexpected AJP attribute structures.
- httpd error log entries referencing AJP parsing failures, truncated responses, or unexpected proxy errors from mod_proxy_ajp.
- Response payloads containing data fragments that do not correspond to legitimate backend responses.
Detection Strategies
- Inventory all httpd instances and identify those built with or loading mod_proxy_ajp, then verify the running version against 2.4.67.
- Inspect httpd.conf and included files for ProxyPass directives using the ajp:// scheme to scope exposed reverse-proxy paths.
- Review web application firewall (WAF) and proxy logs for anomalous request patterns targeting AJP-proxied URIs.
Monitoring Recommendations
- Enable verbose error logging on mod_proxy_ajp and forward httpd logs to a centralized analytics platform for correlation.
- Alert on spikes in 502 or 500 responses originating from AJP-proxied virtual hosts, which can indicate probing for the flaw.
- Track outbound response sizes from AJP proxies and flag responses with unusual byte patterns inconsistent with backend application output.
How to Mitigate CVE-2026-33857
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.67 or later on all affected systems.
- Identify any host running httpd through 2.4.66 with mod_proxy_ajp loaded and prioritize remediation on internet-facing reverse proxies.
- Restrict access to AJP-proxied endpoints to trusted networks where feasible until patching is complete.
Patch Information
The Apache HTTP Server Project addressed CVE-2026-33857 in version 2.4.67. Vendor guidance is available in the Apache HTTPD Vulnerabilities List. Administrators using distribution-packaged builds should apply updates from their operating system vendor once backported fixes are released.
Workarounds
- Disable mod_proxy_ajp if AJP reverse proxying is not required by commenting out the LoadModule proxy_ajp_module directive and restarting httpd.
- Remove or restrict ProxyPass and ProxyPassMatch directives that use the ajp:// scheme until the patch is applied.
- Place a filtering reverse proxy or WAF in front of httpd to drop malformed requests targeting AJP-proxied paths.
# Configuration example: disable mod_proxy_ajp until patched
# In httpd.conf or the relevant modules configuration file:
# LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# Verify the running version
httpd -v
# After upgrading, confirm version 2.4.67 or later
# Server version: Apache/2.4.67 (Unix)
# Restart the service to apply changes
sudo systemctl restart httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
