Executive Summary
A heap-based buffer overflow vulnerability (CVE-2026-28780, CVSS 9.8 Critical) has been disclosed in Apache HTTP Server's mod_proxy_ajp module. When mod_proxy_ajp is configured to proxy requests to an AJP backend server, a malicious AJP server can respond with a crafted AJP message that causes mod_proxy_ajp to write 4 attacker-controlled bytes past the end of a heap-allocated buffer. This out-of-heap-bounds write condition can lead to arbitrary code execution on the Apache HTTP Server host.
CVSS Score: 9.8 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-28780 |
| CVSS Score | 9.8 (Critical) |
| Type | Heap-Based Buffer Overflow (CWE-122) |
| Affected Module | mod_proxy_ajp |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Component | Apache HTTP Server |
| Published | 2026-05-05 |
| Source | NVD |
Affected Products
| Product | Component | Status |
|---|---|---|
| Apache HTTP Server | mod_proxy_ajp | Vulnerable |
The mod_proxy_ajp module enables Apache HTTP Server to act as a reverse proxy, forwarding HTTP requests to backend application servers using the AJP (Apache JServ Protocol) — commonly used with Apache Tomcat and other Java application servers. This configuration is extremely prevalent in enterprise Java web application deployments.
Technical Details
Vulnerability Root Cause
The vulnerability occurs in mod_proxy_ajp's response processing path. When mod_proxy_ajp is acting as a reverse proxy and connects to a backend AJP server, it trusts the AJP messages returned by that server. A malicious AJP server can craft a response message containing an oversized or specially formatted field that causes the module to perform a heap write 4 bytes past the end of a heap buffer.
While 4 bytes may seem minimal, heap overflow primitives of this nature are frequently exploitable. Attackers can leverage heap grooming techniques to position a target object (such as a function pointer, vtable pointer, or heap metadata) immediately after the vulnerable buffer, then overwrite it with the controlled bytes to redirect execution.
Attack Preconditions
For this vulnerability to be exploitable, the following conditions must be met:
mod_proxy_ajpmust be enabled and configured in the Apache HTTP Server instance- The
ProxyPassdirective must be configured to forward requests to an AJP backend - The attacker must be able to act as or influence the AJP backend server
The third condition can be satisfied in several scenarios:
- Attacker-controlled backend: In deployments where the AJP backend is exposed or the attacker has compromised the backend application server
- AJP port exposure: If the Tomcat/backend AJP port (default: 8009) is reachable and not protected, an attacker can impersonate the backend server
- Misconfigured AJP connectors: Legacy deployments may have AJP connectors listening without authentication (AJP has historically had authentication issues, including the Ghostcat vulnerability CVE-2020-1938)
Attack Chain
1. Attacker identifies an Apache HTTP Server instance with
mod_proxy_ajp configured to proxy to a backend AJP server
2. Attacker positions themselves as the AJP backend (by compromising
the backend, intercepting AJP traffic, or exploiting an exposed
AJP port on the backend)
3. Attacker crafts a malicious AJP response message that triggers
the heap overflow in mod_proxy_ajp
4. mod_proxy_ajp writes 4 attacker-controlled bytes past the end
of the heap buffer
5. If the overflow overwrites an adjacent heap object containing
a function pointer or vtable, attacker redirects execution
6. Arbitrary code executes with the privileges of the Apache
HTTP Server process (typically www-data or apache)CVSS 9.8 Score Analysis
The near-maximum score reflects:
- Network-accessible exploitation path (no physical access required)
- Low attack complexity — the overflow condition is reliably triggered
- No authentication required — the malicious AJP server needs no credentials to exploit the vulnerability
- No user interaction required
- High impact across all three categories (Confidentiality, Integrity, Availability)
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary code execution with Apache server process privileges |
| Web Application Data Access | All data served or processed by the Apache instance accessible |
| Credential Theft | Database credentials in environment variables or config files accessible |
| Lateral Movement | Compromised web server can be used as pivot into internal network |
| Service Disruption | Heap corruption can cause Apache process crash (DoS) |
| TLS Key Theft | Private TLS keys stored on the server may be accessible |
Recommendations
Immediate Actions
- Update Apache HTTP Server to the patched version addressing CVE-2026-28780 as soon as it is available — monitor the Apache Security Advisories page
- Disable mod_proxy_ajp if not needed — if the AJP proxying functionality is not required, disable the module:
a2dismod proxy_ajp # Debian/Ubuntu # Remove or comment LoadModule proxy_ajp_module in httpd.conf - Secure AJP connectors on backend servers — ensure Tomcat or other AJP backends have the AJP connector disabled or protected if not strictly required
- Firewall AJP port (8009) — block external access to AJP ports on all backend application servers
Tomcat AJP Hardening
If AJP is required, harden the Tomcat AJP connector configuration:
<!-- In Tomcat server.xml — require secret for AJP connections -->
<Connector protocol="AJP/1.3"
address="127.0.0.1"
port="8009"
redirectPort="8443"
secret="YOUR_STRONG_SECRET_HERE"
requiredSecret="YOUR_STRONG_SECRET_HERE" />The secret/requiredSecret attributes, introduced to address Ghostcat (CVE-2020-1938), require the AJP proxy to authenticate. This prevents an unauthenticated attacker from impersonating the AJP proxy.
Detection
- Monitor Apache access logs for unexpected 5xx errors or
crashes from requests proxied via mod_proxy_ajp
- Review backend AJP connector logs for connections from
unexpected source IP addresses
- Alert on unexpected Apache process exits (indicative of
heap corruption crash during exploitation attempt)
- Deploy WAF rules to inspect responses returned to
mod_proxy_ajp for anomalously large AJP message fieldsDetection Indicators
| Indicator | Description |
|---|---|
| Apache process crash / segfault | Heap corruption during exploitation attempt |
| AJP connections from unexpected sources to backend | Possible attacker impersonating Apache to reach backend AJP port |
| Unexpected outbound connections from Apache process | Possible post-exploitation C2 activity |
| Anomalous AJP message sizes in network traffic | Crafted oversized AJP responses triggering the overflow |
Post-Remediation Checklist
- Confirm patch is applied — verify Apache version reflects the patched release
- Audit mod_proxy_ajp usage — if the module was disabled, confirm it remains disabled after service restarts
- Review backend AJP exposure — ensure Tomcat AJP connectors on all backend servers are hardened or disabled
- Rotate application credentials — if exploitation cannot be ruled out, rotate database passwords, API keys, and any credentials stored in server-accessible configuration files
- Review Apache error logs — look for unusual error patterns around the time of vulnerability disclosure that may indicate prior exploitation attempts