HIGH 7.3

CVE-2026-44186: Apache HTTP Server mod_proxy_ftp Infinite Loop Denial of Service

Apache HTTP Server versions 2.4.0 through 2.4.67 contain a vulnerability in the mod_proxy_ftp module that can be triggered when the server proxies requests to a backend FTP server under attacker control. The vulnerability manifests as an infinite loop—a condition where the module becomes stuck in a repeating sequence and never exits cleanly. This can cause the affected worker process to hang indefinitely, consuming CPU resources and becoming unresponsive. An attacker does not need credentials or user interaction to exploit this; they only need to control or compromise the FTP server that the Apache proxy is configured to forward requests to.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-835
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in the mod_proxy_ftp module in Apache HTTP Server with an attacker controlled backend FTP server. This issue affects undefined: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44186 is a denial-of-service vulnerability rooted in an infinite loop condition (CWE-835) within Apache HTTP Server's mod_proxy_ftp module. The vulnerability arises when the module processes responses from an attacker-controlled FTP backend server. The module fails to implement proper exit conditions when handling certain FTP server responses, causing the loop to repeat indefinitely without termination. This results in the worker process becoming stuck in a computational loop, unable to handle other requests or gracefully release resources. The vulnerability requires no authentication or special privileges to trigger—a network-accessible Apache instance with mod_proxy_ftp enabled and configured to proxy to an attacker-controlled FTP server is sufficient. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects the network-adjacent attack surface and the confidentiality, integrity, and availability impact.

Business impact

Organizations running affected Apache HTTP Server versions with mod_proxy_ftp enabled face service degradation or outage risk. Worker processes can hang indefinitely when proxying FTP traffic, reducing available capacity and potentially causing request timeouts or connection refusals for legitimate users. If multiple worker processes are exploited simultaneously, the server may become effectively unavailable. Organizations that rely on FTP proxying for legacy system integration or content delivery are particularly exposed. The availability impact is direct and observable; users will experience slow responses or service interruptions. Secondary effects include increased operational overhead as system administrators investigate hung processes and restart services.

Affected systems

Apache HTTP Server versions 2.4.0 through 2.4.67 are vulnerable. This affects both stable release branches and point releases within that range. The mod_proxy_ftp module must be compiled into or loaded by the server for the vulnerability to be exploitable. Deployments that do not use FTP proxying (i.e., mod_proxy_ftp is not enabled or loaded) are not at risk. Organizations should inventory their Apache instances to identify which ones have mod_proxy_ftp active and check their version numbers against the affected range.

Exploitability

This vulnerability has a low barrier to exploitation. An attacker must either control the FTP backend server that Apache is configured to proxy to, or perform a man-in-the-middle attack on the connection between Apache and the FTP server. No authentication is required on the Apache side, and the attack does not depend on user interaction. The attacker does not need to send specially crafted HTTP requests to the Apache server itself; instead, they respond to proxy requests in a way that triggers the infinite loop in mod_proxy_ftp. This makes the attack surface relatively broad for organizations that allow untrusted or third-party FTP servers to be proxied through their Apache infrastructure. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, though this does not preclude active exploitation.

Remediation

Upgrade Apache HTTP Server to version 2.4.68 or later, which includes a fix for the infinite loop condition. Organizations unable to upgrade immediately should consider disabling the mod_proxy_ftp module if it is not required for operational purposes, or restricting access to FTP backend servers to trusted, controlled infrastructure only. Network segmentation can reduce exposure by ensuring that only authorized systems can reach the FTP servers being proxied. Additionally, monitoring for hung Apache worker processes and implementing automated restart policies can mitigate the immediate availability impact while patching is underway.

Patch guidance

Vendors recommend upgrading to Apache HTTP Server version 2.4.68. Before upgrading, test the new version in a staging environment to ensure compatibility with existing configurations and modules. Review release notes for any breaking changes or configuration adjustments. Coordinate the upgrade with change management processes to minimize service disruption. For organizations using prepackaged or vendor-supplied Apache builds, check with your distribution maintainer (e.g., Red Hat, Debian, Ubuntu) for patched packages, as they may release backported patches for older supported versions. Verify the patch version against the official Apache HTTP Server advisory once available.

Detection guidance

Monitor Apache access and error logs for patterns of worker process hangs or timeouts associated with FTP proxy requests. Look for symptoms such as increasing numbers of 'child process exited' messages, growing counts of hung worker processes, or elevated CPU usage by individual worker threads that does not correspond to legitimate traffic. Implement process monitoring (using tools like ps or systemd metrics) to detect worker processes in infinite loops—typically identified by sustained high CPU use with no socket activity. Network intrusion detection can flag unusual FTP server responses or patterns. Additionally, audit your Apache configuration to identify which systems have mod_proxy_ftp enabled and inventory the FTP backends they proxy to, enabling more targeted monitoring of high-risk configurations.

Why prioritize this

This vulnerability should be prioritized based on whether your organization runs Apache HTTP Server with mod_proxy_ftp enabled. If mod_proxy_ftp is active and you proxy to any external or untrusted FTP servers, the risk is immediate and the fix is straightforward (upgrade to 2.4.68). Organizations with only internal, trusted FTP backends can deprioritize slightly but should still plan a timely upgrade. The HIGH CVSS severity and the ease of exploitation warrant urgent attention in affected deployments. The lack of current KEV listing does not reduce priority—it may simply reflect limited public exploitation at this time.

Risk score, explained

The CVSS 3.1 score of 7.3 (HIGH) reflects a network-accessible vulnerability with no authentication or user interaction required, combined with measurable availability impact. The infinite loop causes denial of service to the affected worker process, reducing service capacity. The vulnerability also carries confidentiality and integrity components in the CVSS vector, though the primary exploitable impact is availability. The HIGH rating is justified by the ease of exploitation and the operational impact of worker process hangs in production environments.

Frequently asked questions

Do I need to patch if I do not use FTP proxying?

No. If mod_proxy_ftp is not compiled into your Apache build or is not loaded as a module, you are not vulnerable. Verify your configuration by checking httpd.conf or related files for LoadModule directives referencing proxy_ftp. If there is no FTP proxying configured, patching is not urgent, though staying current with Apache security updates remains a best practice.

Can an attacker exploit this by sending HTTP requests directly to my Apache server?

No. The vulnerability requires the attacker to control or compromise the FTP backend server that Apache is configured to proxy to. An attacker cannot trigger the infinite loop by sending HTTP requests to Apache alone. However, if your FTP backend is exposed to untrusted networks or if you proxy to third-party FTP servers, your risk is higher.

What happens to the rest of my Apache server when a worker process enters an infinite loop?

A single hung worker process consumes CPU and becomes unable to serve requests, reducing overall capacity. If you have multiple worker processes (which is typical), other processes continue to serve traffic. However, if many processes are exploited or if you run in a single-worker configuration, service degradation or outage can occur. Restarting Apache or killing the hung process can restore function, but this is disruptive to active connections.

Is there a workaround if I cannot upgrade immediately?

Yes. Disable mod_proxy_ftp if FTP proxying is not essential, or restrict network access to the FTP backends to trusted infrastructure only. Monitor for hung worker processes and implement automated restart mechanisms. These steps reduce risk and mitigate impact while you plan and execute the upgrade to version 2.4.68.

This analysis is provided for informational purposes and reflects the vulnerability details and patch guidance available as of the publication date. Vendors, CVSS scores, affected versions, and patch recommendations are based on official source data; always verify against the Apache HTTP Server security advisory and your organization's patch testing procedures before deploying updates. This document does not constitute legal or compliance advice. Organizations are responsible for assessing their own exposure and implementing appropriate remediation measures based on their operational context and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).