Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44186

CVE-2026-44186: Apache HTTP Server DoS Vulnerability

CVE-2026-44186 is a denial-of-service vulnerability in Apache HTTP Server's mod_proxy_ftp module that allows infinite loop attacks. This article covers the technical details, affected versions 2.4.0-2.4.67, and mitigation.

Published:

CVE-2026-44186 Overview

CVE-2026-44186 is an infinite loop vulnerability [CWE-835] in the mod_proxy_ftp module of Apache HTTP Server. The flaw allows an attacker who controls a backend FTP server to trigger a loop with an unreachable exit condition in the proxy module. The condition leads to resource exhaustion and denial of service on the affected Apache instance.

The vulnerability affects Apache HTTP Server versions 2.4.0 through 2.4.67. Apache released version 2.4.68 to address the issue.

Critical Impact

An attacker-controlled FTP backend can cause the Apache mod_proxy_ftp worker to enter an infinite loop, exhausting CPU and memory and impacting availability of the proxy service.

Affected Products

  • Apache HTTP Server 2.4.0 through 2.4.67
  • Deployments using the mod_proxy_ftp module
  • Reverse proxy configurations forwarding requests to attacker-reachable FTP servers

Discovery Timeline

  • 2026-06-08 - CVE-2026-44186 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-44186

Vulnerability Analysis

The mod_proxy_ftp module enables Apache HTTP Server to proxy client requests to backend FTP servers. The vulnerability arises when the module processes responses from a malicious or attacker-controlled FTP server. Specially crafted server responses drive the proxy parsing logic into a state where the loop exit condition is never satisfied.

The affected worker thread continues consuming CPU cycles indefinitely. Repeated requests amplify the impact by tying up additional workers until the server cannot service legitimate clients. This produces a denial of service against the proxy and any sites it fronts.

Root Cause

The root cause is a Loop with Unreachable Exit Condition [CWE-835] in the FTP response handling code path of mod_proxy_ftp. The control flow lacks robust termination checks for malformed or adversarial FTP control-channel input. Inputs that would normally end iteration are mishandled, leaving the loop running until the worker is terminated externally.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction on the Apache server. An attacker must control or coerce traffic to a backend FTP server that the Apache proxy will contact. This can occur in open-proxy configurations, environments allowing client-specified upstreams, or scenarios where DNS or routing manipulation redirects FTP traffic to an attacker.

Once the connection is established, the malicious FTP server returns crafted responses that trigger the infinite loop in the proxy worker. The vulnerability does not require local access or elevated privileges to exploit. Public exploitation activity has not been reported, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-44186

Indicators of Compromise

  • Apache worker processes pinned at high CPU utilization without corresponding request throughput
  • Long-lived outbound FTP connections from Apache to untrusted or unexpected destinations
  • Sudden depletion of available Apache worker slots and rising MaxRequestWorkers saturation
  • Repeated timeouts or 503 responses from proxy endpoints that route through mod_proxy_ftp

Detection Strategies

  • Inventory Apache deployments and identify configurations that load mod_proxy_ftp via httpd -M or by inspecting LoadModule directives
  • Monitor process-level CPU and thread counts on Apache hosts to detect runaway workers
  • Correlate Apache mod_status data with outbound FTP session metadata from network telemetry
  • Alert on FTP control-channel sessions to destinations outside an approved allowlist

Monitoring Recommendations

  • Collect Apache error_log and access_log data into a centralized analytics platform for anomaly review
  • Track worker lifetime and request duration metrics to surface stalled threads
  • Capture NetFlow or packet metadata for TCP port 21 traffic originating from proxy servers
  • Establish baselines for mod_proxy_ftp request rates and alert on sustained deviations

How to Mitigate CVE-2026-44186

Immediate Actions Required

  • Upgrade Apache HTTP Server to version 2.4.68 or later on all affected hosts
  • Disable mod_proxy_ftp where FTP proxying is not a documented business requirement
  • Restrict outbound FTP traffic from Apache servers to an explicit allowlist of trusted backends
  • Review reverse proxy rules to ensure clients cannot influence the FTP backend destination

Patch Information

Apache HTTP Server 2.4.68 contains the fix for CVE-2026-44186. Refer to the Apache HTTP Server Vulnerabilities page for the official advisory. Administrators should validate the upgrade against existing configurations and module dependencies before deployment.

Workarounds

  • Unload the module by commenting the LoadModule proxy_ftp_module modules/mod_proxy_ftp.so directive in httpd.conf
  • Block FTP egress at the network perimeter for Apache proxy servers
  • Apply request timeouts and worker limits to constrain the impact of stalled workers until patching is complete
  • Place a network filter in front of Apache that rejects FTP proxy requests originating from untrusted clients
bash
# Configuration example: disable mod_proxy_ftp in httpd.conf
# LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

# Verify the module is no longer loaded
httpd -M | grep -i proxy_ftp

# Restart Apache to apply the change
sudo systemctl restart httpd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne