Beyond updating to a patched version, server administrators can take several steps to mitigate these vulnerabilities:
GET /icons/.%2e/ HTTP/1.1 Host: vulnerable-server.com
The following modules and features are the primary vectors for exploits in version 2.4.46: : Vulnerability : CVE-2021-26691 . apache httpd 2.4.46 exploit
:
: A heap-based buffer overflow can be triggered by a specially crafted SessionHeader sent from an origin server. Beyond updating to a patched version, server administrators
: Attackers can send unauthorized requests through an established connection. mod_auth_digest (Stack Overflow) : Vulnerability : CVE-2020-35452 .
The second and more severe vulnerability, CVE-2021-42013, also emerged in October 2021. It involves a similar path traversal issue but with a higher CVSS score due to its potential for remote code execution (RCE). This vulnerability exists in the mod_macro module of Apache httpd. Successful exploitation could allow an attacker to execute arbitrary code on the server. This vulnerability exists in the mod_macro module of
To protect against these vulnerabilities, the Apache Software Foundation has released updates to Apache httpd. Users of Apache httpd 2.4.46 and earlier should update to a version that includes the fixes for these vulnerabilities:
Apache mod_proxy Server-Side Request Forgery (SSRF) Vulnerability (CVE-2021-40438) * What is SSRF? Server-side request forgery is ... Qualys ThreatPROTECT Apache HTTP Server mod_proxy SSRF (CVE-2021-40438) Description. A Server-Side Request Forgery (SSRF) vulnerability exists in Apache HTTP Server versions 2.4. 48 and earlier when usi... Acunetix CVE-2021-40438: Apache HTTP Server SSRF CVE-2021-40438 is a Server-Side Request Forgery (SSRF) vulnerability found in Apache HTTP Server versions 2.4. 48 and earlier. The... UK Government Security CVE-2021-40438: Resf Rocky Linux SSRF Vulnerability - SentinelOne Mar 4, 2026 —
Understanding the Apache HTTPD 2.4.46 Vulnerabilities Apache HTTP Server version 2.4.46, released in August 2020, was intended to fix several security issues but was soon found to be susceptible to a new set of critical and high-severity vulnerabilities. While version 2.4.46 itself addressed previous flaws like (Remote Code Execution in mod_proxy_uwsgi ), it remained the "vulnerable version" for subsequent critical disclosures that weren't fully patched until version 2.4.48. Key Exploits and Vulnerabilities in 2.4.46