CVE-2026-42535 — Apache HTTP Server: mod_dav_fs protected directory access

Description

A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child process crashes. Users are recommended to upgrade to version 2.4.68, which fixes this issue.

How to fix CVE-2026-42535

To remediate CVE-2026-42535, upgrade the affected package to a fixed version below.

Bitnami/apache—upgrade to 2.4.68 or later
Debian/apache2—no fix listed

Is CVE-2026-42535 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-42535.

Affected packages (2)

from 0, < 2.4.68
from 0

CVSS scores

Source	Version	Severity	Vector
nvd	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-42535
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2026-42535
WEBwww.openwall.com/lists/oss-security/2026/06/08/8