Apache HTTP Server mod_proxy_ajp Out‑Of‑Bounds Read Information Disclosure (CVE‑2026‑34032) Threatens Web Services
What It Is – An out‑of‑bounds read in the mod_proxy_ajp module of Apache HTTP Server can leak memory contents to a remote attacker. The flaw is classified as an information‑disclosure vulnerability.
Exploitability – Exploitation requires the attacker to already control an AJP backend behind the vulnerable server; no public exploit or active exploitation has been observed. CVSS v3.1 base score 3.7 (Low).
Affected Products – Apache HTTP Server 2.4.x and later configurations that enable mod_proxy_ajp.
TPRM Impact – Third‑party web services that rely on Apache as a reverse‑proxy may inadvertently expose internal data (e.g., configuration snippets, session tokens) if an AJP connection is compromised, creating a supply‑chain leakage vector.
Recommended Actions –
- Inventory all Apache HTTP Server instances and verify whether
mod_proxy_ajpis enabled. - If AJP is not required, disable the module or block AJP ports (typically 8009) at the network perimeter.
- Apply the Apache security advisory patches released after ZDI‑26‑356.
- Conduct a review of AJP backend configurations for hardening (use trusted IPs, TLS, authentication).
- Update third‑party risk registers to reflect the new exposure and communicate remediation status to affected business units.
Source: Zero Day Initiative – ZDI‑26‑356