CVE-2026-42535 is a vulnerability in Apache HTTP Server
Published on June 8, 2026
Apache HTTP Server: mod_dav_fs protected directory access
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes.
Users are recommended to upgrade to version 2.4.68, which fixes this issue.
Timeline
Report received
fixed in 2.4.x by r1935013 39 days later.
2.4.68 released 3 days later.
Weakness Type
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Products Associated with CVE-2026-42535
Want to know whenever a new CVE is published for Apache HTTP Server? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache HTTP Server:- Before and including 2.4.67 is affected.