{"id":241001,"date":"2026-05-05T07:19:00","date_gmt":"2026-05-05T11:19:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/05\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/"},"modified":"2026-05-07T11:30:10","modified_gmt":"2026-05-07T15:30:10","slug":"critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/05\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/","title":{"rendered":"Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/\">Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/\">https:\/\/www.securityweek.com\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-05 07:19:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p><strong>Apache on Monday released patches for over a dozen vulnerabilities in HTTP Server and MINA, including critical and high-severity issues that could be exploited for remote code execution (RCE).<\/strong><\/p>\n<p>Apache HTTP Server 2.4.67 was released with fixes for 11 vulnerabilities, 10 of which affect all previous releases.<\/p>\n<p>The first is CVE-2026-23918, a double-free and possible RCE bug in the HTTP\/2 protocol handling. By triggering an early reset, an attacker could cause a denial-of-service (DoS) condition and potentially execute arbitrary code.<\/p>\n<p>Next in line is CVE-2026-28780, a heap buffer overflow issue that could allow remote attackers to send crafted AJP messages to cause a DoS condition and execute code.<\/p>\n<p>Three other security defects, CVE-2026-29168, CVE-2026-29169, and CVE-2026-33007, could lead to DoS conditions, while four, namely CVE-2026-24072, CVE-2026-33857, CVE-2026-34032, and CVE-2026-34059, could lead to information disclosure.<\/p>\n<p>The update also addresses an improper neutralization of CRLF sequences issue, tracked as CVE-2026-33523, which allows attackers to manipulate HTTP responses, and a timing side-channel weakness (CVE-2026-33006) that could lead to Digest authentication bypass.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p>On Monday, Apache announced the rollout of MINA 2.2.7 and MINA 2.1.12 with fixes for two critical-severity vulnerabilities that should have been addressed in previous releases.<\/p>\n<p>The first, CVE-2026-42778, is described as an incomplete fix for CVE-2026-41409, which in turn is an incomplete fix for CVE-2024-52046, an insecure deserialization of data that could be exploited for RCE.<\/p>\n<p>The second is CVE-2026-42779, an incomplete fix for CVE-2026-41635, an improper check flaw leading to allowlist bypass and code execution.<\/p>\n<p>Following the upgrade to a patched release, Apache says, organizations need to \u201cexplicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance\u201d.<\/p>\n<p><strong>Related:<\/strong> SonicWall&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server https:\/\/www.securityweek.com\/critical-high-severity-vulnerabilities-patched-in-apache-mina-http-server\/ Publish Date: 2026-05-05 07:19:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":241002,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2023\/12\/Apache-exploit-scaled-e1724835583910.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[],"class_list":["post-241001","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241001"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=241001"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241001\/revisions"}],"predecessor-version":[{"id":241003,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/241001\/revisions\/241003"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/241002"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=241001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=241001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=241001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}