A critical remote code execution vulnerability has been discovered in Apache HTTP Server versions 2.4.x through 2.4.58, potentially affecting millions of servers worldwide. The vulnerability, tracked as CVE-2026-1337, allows unauthenticated attackers to execute arbitrary code on affected systems.
Security researchers at Qualys discovered the flaw during a routine audit of Apache's mod_proxy module. The vulnerability can be triggered by sending a specially crafted HTTP request, requiring no authentication or special privileges.
The Apache Software Foundation has released emergency patches and urges all administrators to update immediately.