Apache HTTP Server deployments using mod_proxy_ftp can expose users to cross-site scripting through generated FTP directory listings. Upgrade to 2.4.68 now.
Impact
CVE-2026-29170 affects Apache HTTP Server 2.4.67 and earlier. The flaw is in mod_proxy_ftp. The risk is cross-site scripting.
This is not a Microsoft vulnerability, despite the supplied Microsoft Security Update Guide page title. The authoritative records identify Apache Software Foundation as the source. Track the issue through the NVD entry, the Apache HTTP Server 2.4 vulnerability page, and the CVE record.
Severity is split by source. CISA ADP lists CVSS 3.1 as 6.1, Medium, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Apache rates the issue low. NVD has not assigned its own CVSS score as of its June 9, 2026 analysis.
The vulnerability exists when Apache generates HTML directory listings for FTP directory contents through mod_proxy_ftp. That can occur in forward proxy or reverse proxy configurations. An attacker who controls content shown in an FTP directory listing may be able to inject script into the generated HTML. A victim must view the crafted listing. No authentication is required for the attack path described by the CVSS vector.
Affected Products
Affected product: Apache HTTP Server.
Affected versions: 2.4.67 and earlier. NVD lists affected CPE configurations up to, but excluding, 2.4.68. Apache states the issue affects versions through 2.4.67.
Affected module: mod_proxy_ftp.
Affected configurations: deployments that use Apache as an FTP proxy and expose generated HTML FTP directory listings, either through forward proxy behavior or reverse proxy behavior.
Not every Apache deployment is exposed. Servers that do not load or use mod_proxy_ftp are not on the direct vulnerable path. Servers that do not proxy FTP directory listings are also outside the main risk condition. Confirm actual module use. Do not rely only on package inventory.
Technical Details
mod_proxy_ftp lets Apache proxy FTP resources through HTTP-facing infrastructure. When a client requests an FTP directory through the proxy, Apache can generate an HTML page that represents the FTP directory contents. That generated page is the vulnerable surface.
The weakness is CWE-79, improper neutralization of input during web page generation. In practical terms, data from the FTP listing can reach HTML output without sufficient escaping for script-capable browser contexts. If attacker-controlled text is rendered as markup, the browser may execute it as script instead of displaying it as plain text.
This is a classic XSS failure mode. The server is not necessarily compromised. The browser session is the target. The attacker aims at users who view the generated listing.
A likely attack shape is simple. The attacker places crafted names or metadata in an FTP directory controlled by them or reachable through a trusted proxy path. A user accesses that FTP directory through Apache. Apache builds the HTML directory listing. The browser parses attacker-supplied content as active markup. Script runs in the origin context of the Apache-served page.
That origin context matters. XSS can expose cookies, tokens, page content, internal URLs, or user actions available to the browser under that origin. The CVSS vector reflects this. Confidentiality impact is low. Integrity impact is low. Availability impact is none. Scope is changed because execution in the browser can cross the original vulnerable component boundary.
The attack requires user interaction. A user must load the malicious listing or follow a crafted link. That lowers severity. It does not remove urgency for internet-facing proxy services, shared administrative portals, intranet gateways, or environments where users routinely browse FTP resources through Apache.
Why It Matters
Proxy features often sit at trust boundaries. They translate one protocol into another. They also normalize, rewrite, and generate content. That makes output encoding critical.
FTP directory listings were not designed as browser-safe HTML. Filenames and listing fields may contain characters that have meaning in HTML. If those characters are not encoded before rendering, text becomes structure. Structure can become script.
The vulnerable path is narrow, but it is exposed in a component that administrators may forget is enabled. Apache modules are often loaded through distribution defaults, legacy configuration, or inherited reverse proxy templates. Audit the live configuration, not just the intended architecture.
Mitigation
Upgrade Apache HTTP Server to 2.4.68. That is the vendor fix. Apache states that version 2.4.68 fixes CVE-2026-29170.
If immediate upgrade is not possible, reduce exposure while patching. Disable mod_proxy_ftp if it is not required. Remove FTP proxy mappings. Restrict access to FTP proxy endpoints. Block untrusted FTP destinations where feasible. Treat these as temporary controls. They are not substitutes for the fixed release.
Administrators should verify loaded modules with platform-appropriate commands, then inspect Apache configuration for FTP proxy directives and reverse proxy rules. Review package builds from Linux distributions or appliance vendors, since downstream packages may backport the fix without changing the visible upstream version string.
After patching, restart Apache where required. Confirm the running process uses the updated binary or patched package. Validate that mod_proxy_ftp behavior still matches operational requirements.
Timeline
March 4, 2026: Report received by Apache.
June 4, 2026: Fixed in Apache 2.4.x by revision r1934982.
June 8, 2026: Apache HTTP Server 2.4.68 released.
June 8, 2026: NVD published CVE-2026-29170.
June 9, 2026: NIST performed initial analysis and added affected Apache HTTP Server configurations.
Required Action
Patch Apache HTTP Server to 2.4.68.
Confirm whether mod_proxy_ftp is loaded.
Find all forward and reverse proxy paths that expose FTP directory listings.
Disable unused FTP proxy functionality.
Monitor web logs for suspicious FTP listing requests, unusual encoded characters, and links sent to users that route through Apache FTP proxy endpoints.
This is a browser-execution issue in generated proxy output. Patch the server. Reduce the exposed proxy surface. Verify the running version.
Comments
Please log in or register to join the discussion