Spinnaker RCE research

Apache HTTP Server AJP Smuggling (CVE-2022-26377): Anatomy of a High-Impact Proxy Flaw

A deep technical analysis of CVE-2022-26377, an HTTP request smuggling flaw in Apache HTTP Server's mod_proxy_ajp module. We dissect the vulnerability's mechanics, affected versions, detection strategies, and patching guidance for security teams. (June 2026)

Insights

12 min read

ZeroPath Team
ZeroPath Team

2026-06-26

Apache HTTP Server AJP Smuggling (CVE-2022-26377): Anatomy of a High-Impact Proxy Flaw

A single malformed HTTP header can open the door to backend compromise, bypassing authentication and security controls with a single request. CVE-2022-26377, a high-severity flaw in Apache HTTP Server's mod_proxy_ajp module, has proven just how dangerous protocol desynchronization can be in modern web infrastructure. Attackers exploited this bug to smuggle unauthorized requests into backend AJP servers, impacting Apache deployments and major enterprise products like NetApp ONTAP and IBM QRadar.

TLDR:

  • CVE-2022-26377 lets attackers smuggle unauthorized requests past Apache HTTP Server's mod_proxy_ajp via malformed Transfer-Encoding headers.
  • Affects Apache 2.4.0-2.4.53 with mod_proxy_ajp active; patched in 2.4.54, with 2.4.68 covering all related flaws.
  • 2025-2026 saw new mod_proxy_ajp flaws (CVE-2026-34032, CVE-2026-28780) and smuggling bugs in Pingora, Jetty, and libsoup.
  • Protocol desynchronization remains a recurring vulnerability class across HTTP implementations, extending beyond Apache.
  • Check server logs for duplicate Content-Length or Transfer-Encoding headers and configure WAFs to block malformed requests.

Four concepts behind CVE-2022-26377

Before getting into the mechanics of CVE-2022-26377, you need to hold four concepts in your head.

HTTP request smuggling

HTTP request smuggling exploits disagreements between two HTTP parsers, typically a front-end proxy and a backend server, about where one request ends and the next begins. The attacker crafts an ambiguous request that one parser reads one way, and another reads it differently. The leftover bytes are prepended to the next request the backend processes, allowing the attacker to control or poison other users' requests.

AJP (Apache JServ Protocol)

AJP is a binary protocol designed for communication between a web server (e.g., Apache httpd) and a Java application server (e.g., Tomcat). It predates HTTP/2 and was built for performance on internal networks, not for exposure to untrusted traffic. AJP connections carry raw request data between tiers, which makes parser disagreements at that boundary particularly dangerous.

mod_proxy_ajp

The Apache httpd module that proxies HTTP requests from the front-end server to an AJP backend. When mod_proxy_ajp is active, Apache translates incoming HTTP requests into AJP packets and forwards them to the backend. In CVE-2022-26377, this translation step is where the header confusion is introduced.

Transfer-Encoding / Content-Length desynchronization

HTTP allows two ways to specify the request body length: the Content-Length header (a fixed byte count) and Transfer-Encoding: chunked (a streaming format where each chunk declares its own size). When both headers are present, or when Transfer-Encoding carries a non-standard value like chunked, chunked, different parsers make different decisions about which one wins. That gap is the attack surface CVE-2022-26377 exploits.

How CVE-2022-26377 works

Vulnerability mechanism

CVE-2022-26377 is rooted in the inconsistent parsing of HTTP request headers between Apache HTTP Server's mod_proxy_ajp module and the backend AJP (Apache JServ Protocol) server. The flaw affects Apache HTTP Server versions 2.4.0 through 2.4.53 when mod_proxy_ajp is active and configured to forward requests to an AJP backend (e.g., Tomcat).

Exploitation details

  • Trigger: The attacker sends an HTTP request with a malformed or duplicated Transfer-Encoding: chunked, chunked header.
  • Apache Behavior: Apache strips the Content-Length header but does not properly validate the non-standard Transfer-Encoding value.
  • Result: The body of the HTTP request can contain additional, attacker-controlled AJP packets.
  • Backend Behavior: The backend AJP server (such as Tomcat) may interpret these as separate requests, allowing HTTP request smuggling.

This discrepancy allows an attacker to inject hidden requests that bypass frontend security controls, which can lead to:

  • Unauthorized access to backend applications
  • Session hijacking via cookie injection
  • Cache poisoning
  • Cross-site scripting (XSS) propagation

Example attack flow

POST /target HTTP/1.1 Host: vulnerable-server Transfer-Encoding: chunked, chunked Content-Length: 524

[malicious AJP packet here]

The backend AJP server may process the malicious AJP packet as a separate, valid request, allowing the attacker to interact with internal resources or escalate privileges.

Affected configurations

  • Apache HTTP Server with mod_proxy_ajp active
  • Backend AJP servers (e.g., Tomcat, IBM WebSphere)
  • Common in enterprise deployments and products that rely on Apache as a frontend proxy

Attack vectors

  • Direct exploitation by sending crafted HTTP requests to vulnerable Apache servers
  • Chained attacks using public proof-of-concept code to target downstream products (e.g., IBM QRadar, NetApp ONTAP)
  • Automated exploitation via offensive security frameworks

Patching CVE-2022-26377

The Apache team fixed CVE-2022-26377 in version 2.4.54, released June 8, 2022. The fix corrected the inconsistent handling of malformed Transfer-Encoding headers in mod_proxy_ajp, closing the desynchronization gap that allowed request smuggling into AJP backends.

Subsequent releases handled related mod_proxy_ajp flaws found after the original patch. Apache HTTP Server 2.4.68 (released June 8, 2026) is the current stable release and covers CVE-2022-26377 along with all known related vulnerabilities in the module.

Upgrade guidance:

  • If you are on any version between 2.4.0 and 2.4.53, upgrade to 2.4.68 to patch CVE-2022-26377 and all subsequently foundmod_proxy_ajp issues.
  • If upgrading immediately is not possible, disable mod_proxy_ajp on any server where AJP backends are not actively in use.
  • Configure your WAF to reject requests with malformed or duplicate Transfer-Encoding headers as a temporary mitigation.

Patch source: Apache HTTP Server Security Vulnerabilities

Recent Apache HTTP Server security fixes (2.4.68)

In the latest release of Apache HTTP Server, version 2.4.68 (released June 8, 2026), the Apache team fixed several vulnerabilities to improve server security and stability.

  • mod_proxy_html buffer overflow (CVE-2026-34355): Fixes a moderate buffer overflow when an untrusted backend sends crafted responses
  • Privilege escalation via .htaccess expressions (CVE-2026-44119): Prevents local .htaccess authors from reading files with httpd user privileges
  • mod_dav_fs protected directory access (CVE-2026-42535): Fixes a path handling issue that allowed WebDAV authors to manipulate trusted DAV property databases
  • OOB read in merge_response_headers (CVE-2026-43951): Fixes an out-of-bounds read in mod_headers when multiple response languages are active
  • mod_proxy_ftp infinite loop (CVE-2026-44186): Fixes a denial-of-service condition triggered by an attacker-controlled backend FTP server
  • mod_http2 denial of service (CVE-2026-49975): Patches excessive memory allocation in HTTP/2 handling
  • mod_http2 use-after-free (CVE-2026-48913): Patches memory corruption when file handles are exhausted under load
  • mod_ldap use-after-free (CVE-2026-29167): Fixes a per-directory configuration memory safety issue

Upgrade Guidance:

  • Upgrade to Apache HTTP Server 2.4.68 (the current stable release as of June 2026) to remediate CVE-2022-26377 and all known related vulnerabilities.

How to detect CVE-2022-26377

Detecting HTTP request smuggling vulnerabilities, such as CVE-2022-26377, requires a layered approach due to the subtle nature of these attacks. The core of this vulnerability lies in the inconsistent interpretation of HTTP request headers between the Apache HTTP Server's mod_proxy_ajp module and the AJP server it forwards requests to. This discrepancy can be exploited to smuggle malicious requests, potentially leading to unauthorized actions or data manipulation.

Indicators of compromise (IoCs):

  • Anomalous Log Entries: Look for HTTP requests in server logs that contain multiple or conflicting Content-Length and Transfer-Encoding headers. Such discrepancies can indicate attempts to exploit vulnerabilities in request smuggling.
  • Unexpected 4xx or 5xx Responses: A surge in client errors (4xx) or server errors (5xx) without corresponding legitimate requests may suggest that smuggled requests are causing unintended behavior.
  • Unusual Backend Behavior: Monitor for unexpected actions on backend systems that do not match logged frontend requests, as this may indicate that smuggled requests are being processed.

Detection strategies:

  1. Log Analysis: Regularly review server logs for irregularities in HTTP headers, especially focusing on duplicate or conflicting Content-Length and Transfer-Encoding headers. Automated log analysis tools can assist in identifying these patterns.
  2. Traffic Inspection: Deploy network monitoring tools with deep packet inspection capabilities to analyze HTTP traffic for anomalies indicative of request-smuggling attempts.
  3. Security Testing: Use security scanners and penetration testing tools that target HTTP request smuggling vulnerabilities. These tools can simulate attack scenarios to identify potential weaknesses.
  4. Web Application Firewalls (WAFs): Configure WAFs to detect and block malformed HTTP requests that could be used in smuggling attacks. Verify that the WAF rules are up to date and tailored to detect patterns associated with request smuggling.

Monitoring guidance:

  • Regular Updates: Keep all components of the web server and proxy configurations up to date with the latest versions, as patches for known vulnerabilities are often included in updates.
  • Configuration Reviews: Periodically review and audit server and proxy configurations so they adhere to security best practices and do not inadvertently allow inconsistent request parsing.
  • Incident Response Planning: Develop and maintain an incident response plan that includes procedures for detecting, analyzing, and mitigating HTTP request smuggling attacks.

Detection Source: GitHub PoC and Analysis

Affected versions and configurations

  • Apache HTTP Server: Versions 2.4.0 through 2.4.53 with mod_proxy_ajp active
  • NetApp Clustered Data ONTAP: Affected via bundled Apache HTTP Server
  • IBM HTTP Server and QRadar: Affected via the inherited Apache codebase
  • Fedora Linux: Fedora 35/36 with vulnerable Apache packages
  • Other downstream products: Any software or appliance using the Apache HTTP Server with mod_proxy_ajp in the vulnerable version range

Vendor response and disclosure timeline

  • Apache: Generally strong security response, with a mature disclosure process and relatively prompt patch cycles for high-severity issues. The fix for CVE-2022-26377 was released in version 2.4.54 within a few months of discovery. Prior issues with HTTP parsing and request smuggling have been reported and patched repeatedly, a sign of the ongoing complexity of proxy protocol handling.
  • NetApp and IBM: Both vendors issued advisories and patches in response to the disclosure, with NetApp releasing NTAP-20220624-0005 and IBM updating QRadar and HTTP Server products.

2025 and 2026: Request smuggling is not going away

CVE-2022-26377 created a clear precedent: when proxy layers disagree on how to parse HTTP requests, attackers find a way in. That pattern has not gone away.

In May 2026, CVE-2026-34032 was disclosed: a new flaw in mod_proxy_ajp on Windows that affects Apache HTTP Server through 2.4.66. Earlier in 2026, CVE-2026-28780 describes a buffer overflow in mod_proxy_ajp triggered when the module connects to a malicious AJP server. Both flaws are patched in Apache 2.4.67 and 2.4.68, respectively.

In December 2025, Cloudflare disclosed HTTP/1.x request-smuggling vulnerabilities in its open-source Pingora proxy framework (CVE-2026-2833 and related vulnerabilities). The disclosure showed the same class of protocol desynchronization bug surfacing in modern, actively maintained infrastructure, extending beyond legacy Apache deployments.

The broader 2026 picture reinforces the same lesson. Eclipse Jetty disclosed CVE-2026-2332, an HTTP request smuggling flaw in its HTTP/1.1 parser. Crystal's HTTP::Server received a smuggling disclosure in April 2026. libsoup, the GNOME HTTP client/server library, logged CVE-2026-1801 for non-RFC-compliant parsing that opens a smuggling path. Protocol desynchronization is not an Apache problem; it is a recurring flaw across HTTP implementations.

CVE

Product/component

Flaw type

Patched in

CVE-2022-26377

Apache mod_proxy_ajp

TE/CL desynchronization via malformed Transfer-Encoding header

Apache 2.4.54 (all related: 2.4.68)

CVE-2026-34032

Apache mod_proxy_ajp (Windows)

AJP requests smuggling on Windows hosts

Apache 2.4.67

CVE-2026-28780

Apache mod_proxy_ajp

Buffer overflow when connecting to a malicious AJP server

Apache 2.4.68

CVE-2026-2833 (+ related)

Cloudflare Pingora (open-source)

HTTP/1.x request smuggling via protocol desynchronization

Patched (December 2025 OSS disclosure)

CVE-2026-2332

Eclipse Jetty

HTTP/1.1 request smuggling in parser

Jetty patch (2026)

N/A

Crystal HTTP::Server

Request smuggling via non-compliant HTTP parsing

Patched (April 2026 disclosure)

CVE-2026-1801

libsoup (GNOME)

Non-RFC-compliant parsing opens a smuggling path

Patched (2026)

Teams running Apache with mod_proxy_ajp should confirm they are on 2.4.68 and audit AJP backend trust boundaries.

How ZeroPath helps catch what proxy flaws expose

CVE-2022-26377 is a patching issue at the infrastructure layer, but what makes it dangerous is the damage smuggled requests can cause once they reach the backend. Missing authentication checks, broken access control, and business logic flaws are the conditions that turn a request smuggling path into a full compromise. That is where application-layer scanning matters.

ZeroPath's AI-native SAST pipeline analyzes authentication flows, authorization logic, and business rules across your codebase, extending beyond syntactic patterns. It confirms whether a path from a real public entry point reaches vulnerable logic, and flags missing auth checks, privilege escalation paths, and IDORs that a smuggled request could exploit. Every confirmed finding includes a mandatory source-to-sink trace and step-by-step attack path, so your team understands the exposure before an attacker does.

Screenshot of https://zeropath.com/

On the dependency side, ZeroPath's SCA confirms whether vulnerable versions of Apache HTTP Server or AJP-related components appear in your dependency graph, and whether the affected code paths are actually reachable, so you're triaging real risk, not package-inventory noise.

If your stack runs a proxy layer in front of application servers, that boundary is exactly where authentication gaps, broken access control, and business logic flaws sit exposed. ZeroPath's reachability analysis maps which of those paths a request can actually reach from the network, and the mandatory source-to-sink trace on every confirmed finding shows whether a gap leads to real, exploitable logic, so your team knows what needs fixing before an attacker finds out.

Final thoughts on CVE-2022-26377 and proxy security

CVE-2022-26377 is patched, but the vulnerability class it belongs to is not going away. Protocol desynchronization, two layers of a stack reading the same request differently, keeps resurfacing across HTTP implementations, from Apache to Jetty to Cloudflare's own proxy infrastructure. See how ZeroPath traces paths before an attacker does, confirming which authentication gaps and broken access-control flaws a smuggled request could actually exploit. Closing a specific CVE is a point solution; what protects you over time is understanding that any stack sitting between a client and a backend carries this risk, and that the real exposure lives in what a smuggled request can reach once it gets through. That means authentication gaps, broken access controls, and business logic flaws matter just as much as the proxy patch.

FAQ

Apache HTTP Server: AJP smuggling vs regular HTTP smuggling?

AJP smuggling exploits the translation layer between Apache's front-end HTTP parser and the binary AJP protocol used with Java application servers like Tomcat, making header disagreements particularly dangerous at that internal boundary. Regular HTTP smuggling targets disagreements between two HTTP parsers (typically a front-end proxy and a backend server), but both exploit the same root cause: ambiguous parsing of the Content-Length and Transfer-Encoding headers.

Can I detect exploitation of CVE-2022-26377 in existing logs?

Check server logs for HTTP requests containing duplicate or conflicting Content-Length and Transfer-Encoding headers, especially malformed values like Transfer-Encoding: chunked, chunked. A surge in 4xx/5xx errors without corresponding legitimate requests or unexpected backend actions that don't match logged frontend requests also indicates potential exploitation attempts.

What's the fastest way to remediate CVE-2022-26377?

Upgrade to Apache HTTP Server 2.4.68, which patches CVE-2022-26377 and all related mod_proxy_ajp vulnerabilities found through 2026. If you cannot upgrade immediately, configure your WAF to block requests with malformed Transfer-Encoding headers and audit which systems have mod_proxy_ajp active, disable it where AJP backends aren't actually in use.

How does reachability analysis help after patching proxy flaws?

Reachability analysis confirms whether vulnerable code paths in your application, missing auth checks, broken access control, business logic flaws, are actually reachable from network entry points, so you know which gaps a smuggled request could exploit even after the proxy layer is patched. ZeroPath's SAST traces paths from real public endpoints to vulnerable logic with mandatory source-to-sink evidence, showing your team which authentication boundaries matter before an attacker tests them.

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization