Articles in this section

Is Plesk affected by CVE-2026-23918? (Double Free and possible RCE in Apache http2 module)

Vladimir Levchuk
Updated
Plesk for Linux kb: technical Plesk Obsidian for Linux

Question

Is the Plesk affected by CVE-2026-23918?

Answer

The issue affects Apache 2.4.66 and its http2 module specifically.
Plesk uses Apache from OS repositories, so if the OS distribution provides Apache 2.4.66 - it is affected by the issue.

If Apache 2.4.66 is installed - update Apache to the version 2.4.67 (manually via CLI, or via Tools & Settings > System Updates menu).

Apache version can be checked OS package manager, or via Tools & Settings > Server Components menu.

How to check Apache version and install updates via CLI:
  1. Connect to the server via SSH

  2. Check currently installed Apache version:

    • On Ubuntu/Debian:

    # apt info apache2
    Package: apache2 
    Version: 2.4.52-1ubuntu4.19 
    Priority: optional 
    Section: web 
    Origin: Ubuntu 
    Maintainer: Ubuntu Developers ubuntu-devel-discuss@lists.ubuntu.com
    Original-Maintainer: Debian Apache Maintainers debian-apache@lists.debian.org
    ...

    • On RHEL-like (RHEL, CentOS, AlmaLinux, Rocky Linux, CloudLinux):

    # yum info httpd
    Installed Packages 
    Name : httpd 
    Version : 2.4.62 
    Release : 7.el9_7.3 
    Architecture : x86_64 
    Size : 59 k 
    Source : httpd-2.4.62-7.el9_7.3.src.rpm 
    Repository : @System 
    ...

  3. Check for available updates and :

    • On Ubuntu/Debian:

    # apt update && apt list --upgradable

    Note: On Ubuntu/Debian updates are intsalled with apt upgrade command

    • On RHEL-like (RHEL, CentOS, AlmaLinux, Rocky Linux, CloudLinux):

    # yum update

Workaround - Disable HTTP/2 (on Apache-only environment, if updates cannot be installed)
  1. Log into Plesk
  2. Navigate to Tools & Settings > Apache & Nginx Settings
  3. Disable the following modules: http2, proxy_http2
  4. Connect to the server via SSH
  5. Check the status of Nginx:

# plesk sbin nginxmng --status

If the command provides Disabled, then Apache-only setup is used.

  1. Verify if the example.com (some hosted domain or Plesk hostname) uses HTTP/2 or HTTP/1.1:

# curl -IvLk https://example.com

Output like below should be provided when HTTP/1.1 is used:

*   Trying 203.0.113.2:80...
* Connected to example.com (203.0.113.2) port 80 (#0)
> HEAD / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Wed, 06 May 2026 11:23:49 GMT
Date: Wed, 06 May 2026 11:23:49 GMT
< Server: Apache
Server: Apache
< Location: https://example.com/
Location: https://example.com/
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1

<
* Connection #0 to host example.com left intact

Additional information

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.