A new Apache HTTP Server flaw is doing the rounds. CVE-2026-23918 is a double-free bug in the HTTP/2 module of Apache 2.4.66 that opens the door to denial-of-service and, on the right configuration, remote code execution. The Apache Software Foundation has published the advisory and a working proof-of-concept is already in the wild, as detailed in the NVD entry. CVSS sits at 8.8.

If you run anything on Apache 2.4.66 with HTTP/2 enabled — and HTTP/2 is on by default if mod_http2 is loaded — you are exposed. That’s a much larger group than most owners realise. Plenty of Australian SMB websites, hosted booking systems, internal Linux servers, customer portals, and self-hosted WordPress sites sit behind an Apache web server. The vendor’s fix is in Apache 2.4.67. If your hosting provider, web developer, or in-house IT manages the box, the question to ask today is simple: are we on 2.4.67 yet?

Why this matters for Australian businesses

For an attacker, this is two TCP packets and no authentication required. That’s about as low-effort as it gets. With the Privacy Act reforms and mandatory ransomware reporting now in force, a server compromise isn’t just a technical headache — it’s a notification obligation. Hospitality groups running their own booking sites, NFPs hosting donor portals, and wealth managers running document portals on shared infrastructure should all be checking.

What to do today

Confirm the Apache version on every web-facing server. Upgrade any 2.4.66 install to 2.4.67. If you can’t patch immediately, disable mod_http2 as a temporary mitigation. If you’re not sure what version you’re running or who’s responsible, that’s the conversation to have first — and it’s exactly the kind of thing a managed provider should be on top of for you. See how our cybersecurity service handles patch management or get in touch if you’d like a second pair of eyes on your stack.