I have no support/technical question and have seen the support category. (Be aware that direct support questions will be deleted.)
on
Which general topic do you have
Hi everyone,
I came across a recent security advisory regarding Apache HTTP Server and wanted to check whether Nextcloud All-in-One setups might be impacted.
Apache version 2.4.67 (released May 4, 2026) fixes several vulnerabilities, including a critical issue (CVE-2026-23918, CVSS 8.8) affecting the HTTP/2 implementation. The bug is a double-free memory corruption triggered during an early stream reset in HTTP/2, which can potentially lead to remote code execution. This specifically affects version 2.4.66
Given that Nextcloud All-in-One uses Apache with this exact version and has HTTP/2 support enabled by default in AIO, I’m wondering
is AIO impcated?
if yes, when will be the update be released?
Would appreciate any clarification from maintainers or anyone who has looked into this.
Hey, I just checked this and Apache is not handling h2 in our case as we have a Caddy-server instance in front of Apache that handles the certs and h2 and h3. Also the h2 Apache module is not even enabled.
By the way, Ubuntu users with bare-metal installations will not be offered the new version. Anyone who wants to receive the latest security patches immediately—which is, of course, highly recommended for obvious reasons—should use Ondřej Surý’s PPA for Apache2.
The new version was available online the very next day (May 5).
Ubuntu 26.04 received a fix. All other Ubuntu releases are not affected because they use older versions of Apache, and CVE-2026-23918 only affects version 2.4.66 specifically.
I’m not sure about the Apache Docker image, though. Perhaps you could “docker exec” into the container to check which version is running. As far as I know, the Apache image is Debian-based. Here a link to the Debian Security Tracker for reference: CVE-2026-23918.
Yes, on Ubuntu, software is usually never updated to new upstream versions within the lifetime of a release; instead, security fixes are backported to the current version.
That’s why the apache2 package still carries the version number 2.4.66 on Ubuntu 26.04, even though it received the fix. Those changes are reflected with an additional “ubuntu” version number attached to the upstream version:
Server version: Apache/2.4.67 (Debian)
Server built: 2026-05-06T09:07:41
So your version might still be vulnerable. I don’t have any experience with the Nextcloud Docker images, but perhaps you could update it in place via the following command until a new container image is released:
apt update && apt --only-upgrade install apache2
However, before doing that, you could check whether the HTTP2 module is enabled. If not, this particular flaw cannot be exploited.
There are other CVEs in that version that have been fixed, but as far as I know, they are not quite as critical.
So I’d say, it mainly depends on whether your Nextcloud is exposed to the internet. If not, I probably wouldn’t take any action and would wait for a new container image with the updated package. However, I’m not a security expert, so take this advice with a pinch of salt.
