Apache HTTP Server 2.4.30-2.4.66 mod_md OCSP Resource Exhaustion Vulnerability
CVE-2026-29168 Published on May 5, 2026
Apache HTTP Server: mod_md unrestricted OCSP response
Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's mod_md via OCSP response data.
This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66.
Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Vulnerability Analysis
CVE-2026-29168 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Timeline
reported
fixed in 2.4.x by r1933352 63 days later.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-29168
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-29168 are published in these products:
Affected Versions
Apache Software Foundation Apache HTTP Server:- Version 2.4.30, <= 2.4.66 is affected.