• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Question CVE-2026-23918, CVE-2026-24072 and update to Apache 2.4.67

I

iainh

Basic Pleskian
Server operating system version
AlmaLinux 9.7 (Moss Jungle Cat)
Plesk version and microupdate number
Plesk Obsidian 18.0.77 Update #2
Is there any advice on updating from Apache/2.4.62 (AlmaLinux) to 2.4.67 to mitigate CVE-2026-23918 and CVE-2026-24072?

Would using:
sudo dnf clean all
sudo dnf makecache
sudo dnf -y update httpd
Click to expand...
break all manner of things, or will Plesk magically bring along an emergency update to mitigate these CVE and make the issue go away (as is so often the case?)

Thanks for any advice :)
 
iainh said:
Is there any advice on updating from Apache/2.4.62 (AlmaLinux) to 2.4.67 to mitigate CVE-2026-23918 and CVE-2026-24072?
Click to expand...
As a little further info...

CVE-2026-23918 (CVSS score: 8.8) only applies to 2.4.66 and is in http/2 support, so I presume 2.4.62 and not enabling http/2 mean this shouldn't be an issue.

And CVE-2026-24072 (also CVSS score: 8.8) permits local .htaccess authors to read files with the privileges of the httpd user, so it all depends on whether a box has numerous users with the ability to save/update .htaccess files as to whether this is a realistic threat?
 
Hey there,
I'm on Ubuntu where Plesk uses the distribution-provided Apache packages, and Ubuntu applies security fixes via backported patches rather than upgrading to the latest upstream version (e.g. 2.4.67).

Even though the version shows 2.4.58-1ubuntu8.12, the relevant CVEs (e.g. CVE-2026-23918, CVE-2026-24072) are already fixed, which you can verify via:
Code: 
apt changelog apache2
So there is no need to manually upgrade Apache. Doing so outside the package manager could break Plesk compatibility.

Although I'm not an AlmaLinux user, I asked AI how to test this:
The situation is conceptually similar on AlmaLinux 9 (and other RHEL-based systems) but handled differently to Ubuntu.

AlmaLinux also does not necessarily upgrade Apache to the latest upstream version (e.g. 2.4.67). Instead, it maintains a stable version (e.g. 2.4.57) and applies security patches via backporting, tracked through the RPM changelog.
You can verify this with:
Code: 
rpm -q --changelog httpd | grep -i cve
or check advisories via:
Code: 
dnf updateinfo list security | grep httpd

If the relevant CVEs (e.g. CVE-2026-23918, CVE-2026-24072) are listed as fixed, then the system is not vulnerable, even if the version number appears outdated.

I hope this helps.
 
You must log in or register to reply here.

Similar threads

Bitpalast
Input "Copy Fail" vulnerability: Update your kernel! Do not trust other solutions!
Replies
4
Views
1K
JVG
J
C
Issue Plesk-mail-pc-driver update 18.0.76.5 causes Dovecot authentication database desync on every automatic update
Replies
6
Views
1K
Sebahat.hadzhi
Sebahat.hadzhi
N
Issue 421 Misdirected Request on Apache-only Plesk server after recent Apache update (CVE-2025-23048)
Replies
2
Views
8K
NatuurlijkHosting
N
Matt N
Issue Maria DB 10.11 > 11.4 upgrade results in issues with Plesk Repair Tool - reports innodb corruption in ibdata1
2
Replies
26
Views
9K
tethis IT
tethis IT
W
Resolved 421 Misdirected Request on IP address after Apache update
Replies
3
Views
7K
WiseWill
W
Back
Top