Apache mod_proxy_cluster CRLF Injection (CVE-2026-3234)
CVE-2026-3234 Published on March 12, 2026

Mod_proxy_cluster: mod_proxy_cluster: response body corruption via crlf injection
A flaw was found in mod_proxy_cluster. This vulnerability, a Carriage Return Line Feed (CRLF) injection in the decodeenc() function, allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of INFO endpoint responses. Exploitation requires network access to the MCMP protocol port, but no authentication is needed.

NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is a CRLF Injection Vulnerability?

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CVE-2026-3234 has been classified to as a CRLF Injection vulnerability or weakness.


Products Associated with CVE-2026-3234

stack.watch emails you whenever new vulnerabilities are published in Red Hat Enterprise Linux (RHEL) or Red Hat Jboss Core Services. Just hit a watch button to start following.

Red Hat Enterprise Linux (RHEL)
 
Red Hat Jboss Core Services
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 9: Red Hat JBoss Core Services: Red Hat JBoss Core Services: