Apache HTTP Server 2.4.66 Response Splitting via Modules: CVE-2026-33523 May 2026

Apache HTTP Server: multiple modules: HTTP response splitting forwarding malicious status line
HTTP response splitting vulnerability in multiple Apache HTTP Server modules with untrusted or compromised backend servers. This issue affects Apache HTTP Server: from through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Vulnerability Analysis

CVE-2026-33523 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

LOW

Integrity Impact:

LOW

Availability Impact:

NONE

Timeline

2026-03-05

reported

2026-05-04

2.4.67 released 60 days later.

2026-05-04

fixed in 2.4.x by r1933360

Weakness Type

DEPRECATED (Duplicate): HTTP response splitting

This weakness can be found at CWE-113.

Products Associated with CVE-2026-33523

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-33523 are published in these products:

Apache HTTP Server 2.4.66 Response Splitting via Modules
CVE-2026-33523 Published on May 4, 2026

Vulnerability Analysis

Timeline

Weakness Type

DEPRECATED (Duplicate): HTTP response splitting

Products Associated with CVE-2026-33523

Affected Versions

Apache HTTP Server 2.4.66 Response Splitting via ModulesCVE-2026-33523 Published on May 4, 2026

Vulnerability Analysis

Timeline

Weakness Type

DEPRECATED (Duplicate): HTTP response splitting

Products Associated with CVE-2026-33523

Affected Versions

Apache HTTP Server 2.4.66 Response Splitting via Modules
CVE-2026-33523 Published on May 4, 2026