Apache HTTP Server deployments using WebDAV must upgrade to 2.4.68. CVE-2026-42535 affects Apache httpd 2.4.67 and earlier and can let an authorized WebDAV content author corrupt trusted DAV property data and crash child processes.
CVE-2026-42535 is not a Microsoft product vulnerability. The CVE record identifies an Apache HTTP Server issue in mod_dav_fs, the filesystem provider used by Apache WebDAV.
Impact is direct. Apache HTTP Server 2.4.67 and earlier are affected when WebDAV is enabled through mod_dav and backed by mod_dav_fs. A WebDAV content author can manipulate trusted DAV property databases through a path handling flaw. The likely result is process instability and child process crashes.
Severity needs context. Apache rates the issue as moderate in its Apache HTTP Server 2.4 vulnerability advisory. The NVD entry for CVE-2026-42535 lists a CISA ADP CVSS 3.1 score of 9.1, Critical, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. NVD had not provided its own enrichment score at publication time.
Affected systems are Apache HTTP Server versions through 2.4.67. The vulnerable component is mod_dav_fs. The relevant configuration is WebDAV authoring, typically enabled with Dav On or Dav filesystem. Apache documents mod_dav_fs as the filesystem provider for mod_dav. That module provides access to resources stored in the server file system.
The risk is narrow but serious. This is not a generic unauthenticated remote code execution report. The described actor is a WebDAV content author. That means the attacker needs WebDAV authoring capability, stolen credentials, a compromised account, or an exposed write-enabled DAV location. Once inside that boundary, the attacker can reach metadata that Apache expects to remain trusted.
WebDAV changes the threat model. It extends HTTP so clients can create, move, copy, delete, lock, and update resources on a server. Apache’s mod_dav documentation warns that DAV-enabled locations require careful security controls because remote clients can manipulate server-side files. That warning applies directly here.
The vulnerable path is in metadata handling. WebDAV does not only store file content. It also tracks properties and locking state. mod_dav_fs uses filesystem-backed storage and a DAV lock database configured through DavLockDB. Apache states that this database must live in a directory writable by the Apache runtime user, and recommends creating a dedicated directory for it rather than loosening permissions on an existing directory.
CVE-2026-42535 breaks an assumption. DAV property databases are supposed to be internal trust data. A content author should be able to manage authorized WebDAV content, not directly alter trusted property database files. The flaw lets path handling cross that boundary. That can corrupt state used by Apache during WebDAV operations and cause child processes to crash.
Fix now. Upgrade Apache HTTP Server to version 2.4.68. Apache released 2.4.68 on June 8, 2026, and identifies it as the fixed release for CVE-2026-42535. Source users should verify release signatures and hashes through Apache’s download process. Package users should install vendor-provided builds when available.
Administrators should also reduce exposure. Disable WebDAV where it is not required. Remove Dav On from locations that do not need remote authoring. Restrict DAV methods to authenticated and authorized users only. Review access rules around PUT, DELETE, MOVE, COPY, PROPFIND, PROPPATCH, LOCK, and UNLOCK. Treat every DAV author account as high-risk until patched.
Check configuration. Look for LoadModule dav_module, LoadModule dav_fs_module, Dav On, Dav filesystem, and DavLockDB in Apache configuration. Review virtual hosts, directory blocks, location blocks, included config files, and container images. WebDAV can be enabled in a limited path while the rest of the server appears to be a normal website.
Harden the DAV repository. Apache recommends authentication for any DAV-enabled location and warns against giving DAV access to untrusted users. Enforce TLS. Avoid Basic Authentication without TLS. Keep the DAV repository private to Apache. Do not mix WebDAV writes with FTP writes, direct filesystem edits, deployment scripts, or shared storage workflows that bypass Apache’s metadata model.
Use temporary controls if patching is delayed. Remove authoring access. Disable DAV on affected paths. Limit access by source network. Rotate credentials for DAV authors. Monitor error logs for child process crashes and abnormal DAV methods. These controls reduce risk, but they do not replace the 2.4.68 update.
Timeline is clear. The issue was reported to the Apache security team on April 27, 2026. Apache fixed it in the 2.4.x branch on June 5, 2026. Apache HTTP Server 2.4.68 shipped on June 8, 2026. NVD published the CVE on June 8, 2026. CISA ADP added CVSS 3.1 scoring on June 9, 2026.
Security teams should prioritize internet-facing WebDAV services first. Next, patch internal authoring portals, document repositories, build artifact drops, and legacy collaboration folders. The attacker path starts with DAV author capability, but those credentials are often reused, stored in scripts, or assigned broadly to teams. Reduce that access now.
Required action: upgrade to Apache HTTP Server 2.4.68, verify WebDAV exposure, restrict DAV author accounts, and disable WebDAV where it is not operationally required.
Comments
Please log in or register to join the discussion