CVE-2026-3234
CRLF Injection in mod_proxy_cluster Allows Response Corruption
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | mod_proxy_cluster | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3234 is a vulnerability in the mod_proxy_cluster module, specifically in its decodeenc() function, which suffers from a Carriage Return Line Feed (CRLF) injection flaw.
This flaw allows a remote attacker to bypass input validation and inject CRLF sequences into the cluster configuration.
As a result, the response body of the INFO endpoint can become corrupted.
Exploitation requires network access to the MCMP protocol port (typically port 6666), but no authentication is needed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network access to the MCMP protocol port, typically port 6666, which is used by the mod_proxy_cluster module. Since exploitation involves sending MCMP CONFIG messages that inject CRLF sequences, inspecting traffic on this port for unusual or malformed MCMP messages may help identify attempts to exploit the flaw.
Commands to detect this vulnerability might include network traffic analysis tools such as tcpdump or Wireshark to capture and analyze packets on port 6666. For example:
- tcpdump -i <interface> port 6666 -w capture.pcap
- wireshark capture.pcap (to analyze captured MCMP messages for CRLF injection patterns)
Additionally, reviewing the mod_proxy_cluster configuration and logs for unexpected or corrupted INFO endpoint responses may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the MCMP protocol port (typically port 6666) to trusted internal or management networks only, as exploitation requires network access to this port.
Since no authentication is required for exploitation, ensuring that only authorized systems can communicate on this port is critical.
Additionally, monitoring and filtering MCMP CONFIG messages to detect and block suspicious CRLF injection attempts can help reduce risk.
Applying any available patches or updates from the vendor addressing this vulnerability should be done as soon as possible.
How can this vulnerability impact me? :
This vulnerability allows an attacker to corrupt the response body of the INFO endpoint by injecting CRLF sequences.
Since no authentication is required, an attacker with network access to the MCMP protocol port can exploit this issue.
However, the severity is classified as low, and exploitation requires access to a typically restricted internal or management network port.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know