Apache HTTP Server 2.4.67 patches 11 vulnerabilities including CVE-2026-23918 (double-free and potential RCE in HTTP/2), CVE-2026-28780 (heap buffer overflow in AJP message handling), and others causing DoS and information disclosure. Apache MINA versions 2.2.7 and 2.1.12 fix two critical vulnerabilities (CVE-2026-42778 and CVE-2026-42779) that are incomplete fixes of previous RCE and allowlist bypass flaws related to insecure deserialization and improper checks. The vendor recommends explicitly allowing classes in ObjectSerializationDecoder instances post-upgrade. These vulnerabilities enable remote attackers to execute arbitrary code, cause service disruption, or leak sensitive information.

The vulnerabilities allow remote attackers to execute arbitrary code on affected systems, cause denial-of-service conditions, bypass authentication mechanisms, manipulate HTTP responses, and disclose sensitive information. Successful exploitation could lead to full system compromise or service disruption. The issues affect widely used Apache HTTP Server and Apache MINA components, making them critical for organizations running these services.

Apache has released official patches in HTTP Server version 2.4.67 and MINA versions 2.2.7 and 2.1.12 that address these vulnerabilities. Organizations should promptly upgrade to these patched versions. Additionally, for Apache MINA, it is necessary to explicitly configure the ObjectSerializationDecoder to allow only trusted classes to prevent insecure deserialization exploits. No indication of incomplete mitigation remains after applying these updates.