ZDI 2026-06-11

ZDI-26-356: Apache HTTP Server mod_proxy_ajp Out-Of-Bounds Read Information Disclosure Vulnerability

CVE-2026-34032

Machine-generated analysis · WAYSCloud LLM

The vulnerability requires prior compromise of an AJP backend to enable information disclosure via mod_proxy_ajp.

Context

The affected product is Apache HTTP Server with mod_proxy_ajp enabled. The vulnerability is an out-of-bounds read that can disclose sensitive information. Exploitation requires the attacker to already have control of an AJP backend associated with the server. The CVSS score is 3.7, indicating a low severity impact.

Operator considerations

Check: Verify if mod_proxy_ajp is enabled and configured on the Apache HTTP Server.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache HTTP Server. An attacker must first obtain the ability to compromise an AJP backend associated with the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 3.7. The following CVEs are assigned: CVE-2026-34032.

Read the full advisory on ZDI →