CVE-2026-42535 Overview
CVE-2026-42535 is a path handling vulnerability in the mod_dav_fs module of Apache HTTP Server versions 2.4.67 and earlier. The flaw allows a WebDAV content author to directly manipulate trusted DAV property databases. Successful exploitation can cause child process crashes, impacting service availability and integrity of property storage.
The vulnerability is classified under [CWE-668: Exposure of Resource to Wrong Sphere]. Apache has released version 2.4.68 to address the issue. Administrators running WebDAV-enabled deployments should treat this as a priority remediation.
Critical Impact
Authenticated WebDAV authors can corrupt trusted DAV property databases and trigger Apache child process crashes, degrading availability and integrity of hosted content.
Affected Products
- Apache HTTP Server 2.4.67 and earlier (with mod_dav_fs enabled)
- Apache HTTP Server deployments exposing WebDAV endpoints
- Hosting platforms and content management systems built on vulnerable Apache versions
Discovery Timeline
- 2026-06-08 - CVE-2026-42535 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-42535
Vulnerability Analysis
The mod_dav_fs module implements the filesystem provider for Apache's WebDAV (Web-based Distributed Authoring and Versioning) functionality. It stores DAV properties in internal database files that the server treats as trusted resources. The vulnerability stems from inadequate validation of paths submitted by WebDAV clients during property operations.
A WebDAV content author with write access can craft requests that reach into these trusted property database files. Direct manipulation of these databases breaks the trust boundary between user-supplied content and server-managed metadata. The result is corruption of property state and crashes in Apache child processes that parse the tampered databases.
The issue maps to [CWE-668], reflecting exposure of an internal resource to an actor outside its intended sphere. The attack vector is network-based and requires no user interaction, though the attacker must possess WebDAV authoring privileges on the target.
Root Cause
The root cause is insufficient separation between client-controlled WebDAV resource paths and the server's internal property database files used by mod_dav_fs. Path handling logic fails to prevent author requests from referencing or influencing these trusted storage artifacts.
Attack Vector
An attacker with WebDAV authoring credentials sends crafted requests against a vulnerable Apache HTTP Server endpoint. The requests manipulate property database storage paths, leading to corrupted property state. Subsequent server operations on the corrupted data trigger child process crashes, producing a denial-of-service condition and undermining property integrity.
No verified public proof-of-concept is available at this time. Refer to the Apache HTTP Server Vulnerabilities advisory and the Openwall OSS Security discussion for additional technical context.
Detection Methods for CVE-2026-42535
Indicators of Compromise
- Unexpected Apache child process crashes or segmentation faults logged in error_log, especially correlated with WebDAV PROPFIND, PROPPATCH, MOVE, or COPY requests.
- Anomalous modifications to mod_dav_fs property database files (commonly stored under the directory configured by DavLockDB or within .davfs.properties style state files).
- WebDAV request paths containing traversal sequences or unusual characters targeting property storage locations.
Detection Strategies
- Inspect Apache access logs for authenticated WebDAV methods originating from unexpected accounts or sources.
- Correlate child process termination events with preceding WebDAV requests to identify exploitation attempts.
- Run file integrity monitoring on directories containing DAV property databases to detect unauthorized writes.
Monitoring Recommendations
- Enable verbose LogLevel for the dav and dav_fs modules to capture detailed request handling traces.
- Forward Apache logs to a centralized analytics platform and alert on repeated child pid crash messages.
- Audit the list of accounts with WebDAV write privileges and monitor their activity for deviation from baseline.
How to Mitigate CVE-2026-42535
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.68 or later on all hosts running mod_dav_fs.
- Inventory every server exposing WebDAV and confirm the running version using httpd -v or the package manager.
- Rotate WebDAV author credentials if exploitation is suspected, and review recent property database modifications.
Patch Information
Apache has released version 2.4.68, which fixes the path handling defect in mod_dav_fs. Patch details and downloads are available from the Apache HTTP Server Vulnerabilities advisory. Distribution maintainers typically backport the fix to supported package streams, so apply vendor updates from your Linux distribution where applicable.
Workarounds
- Disable mod_dav_fs and WebDAV functionality if it is not required by the application.
- Restrict WebDAV endpoints to trusted networks using firewall rules or Apache Require ip directives.
- Enforce strong authentication and least-privilege authorization for any account granted WebDAV write access.
- Place WebDAV property database directories on storage with strict filesystem permissions limited to the Apache user.
# Configuration example: disable WebDAV if not required
# In httpd.conf or a conf.d include
# Comment out or remove the DAV-related LoadModule and Location blocks:
# LoadModule dav_module modules/mod_dav.so
# LoadModule dav_fs_module modules/mod_dav_fs.so
# Or restrict WebDAV access by source and require authentication:
<Location /webdav>
DAV On
AuthType Basic
AuthName "WebDAV"
AuthUserFile /etc/httpd/.htpasswd
Require valid-user
Require ip 10.0.0.0/8
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

