A remotely exploitable memory corruption flaw in Apache HTTP Server's HTTP/2 stack was disclosed on May 4, 2026. The Bitnami catalog responded the same day, pushing a patched Apache container image within hours and completing downstream updates across five applications the following morning.
The Vulnerability
On May 4, 2026, the Apache Software Foundation released version 2.4.67 of the Apache HTTP Server, addressing CVE-2026-23918 — a critical double-free memory corruption bug rated HIGH.
The flaw lives in Apache's HTTP/2 implementation. When a remote client sends an early reset on an HTTP/2 stream, it can trigger a double-free condition that, under the right circumstances, leads to remote code execution (RCE). No authentication is required to trigger it, and HTTP/2 is enabled by default in most modern Apache deployments exposed to the internet. Only Apache HTTP Server 2.4.66 is affected.
The vulnerability was responsibly disclosed to the Apache Security Team on December 10, 2025, by Bartlomiej Dmitruk (striga.ai) and Stanislaw Strzalkowski (isec.pl). A code-level fix was committed the very next day, with the public disclosure and release of 2.4.67 coordinated for May 4, 2026.
Bitnami's Response
Speed is everything when a critical vulnerability is publicly disclosed. Bitnami's automated build pipeline ingested the upstream Apache 2.4.67 release on May 4 and published a new bitnami/apache container image and Helm chart the same day — at 13:06 UTC, just a few hours after the official release announcement. No manual intervention required, no waiting for the next scheduled update cycle.
From there, the pipeline cascaded updates to every container image in the Bitnami catalog that bundles Apache as a runtime dependency. Starting at 11:23 UTC on May 5, nine container images across five applications — Matomo, Drupal, phpMyAdmin, WordPress, and Moodle — were rebuilt and published in under 30 minutes. The entire pipeline, from upstream Apache release to the last downstream image, completed in under 23 hours.
Release Timeline
| Timestamp (UTC) |
Image |
Offset from upstream |
| May 4, 2026 — 13:06 |
bitnami/apache |
+1h 31m |
| May 5, 2026 — 11:23 |
bitnami/matomo |
+22h 19m |
| May 5, 2026 — 11:24 |
bitnami/drupal (10.x.x) |
+22h 20m |
| May 5, 2026 — 11:26 |
bitnami/drupal (11.x.x) |
+22h 22m |
| May 5, 2026 — 11:30 |
bitnami/phpmyadmin |
+22h 26m |
| May 5, 2026 — 11:31 |
bitnami/wordpress |
+22h 27m |
| May 5, 2026 — 11:33 |
bitnami/moodle (5.0.x) |
+22h 29m |
| May 5, 2026 — 11:37 |
bitnami/moodle (4.5.x) |
+22h 33m |
| May 5, 2026 — 11:41 |
bitnami/moodle (5.1.x) |
+22h 37m |
| May 5, 2026 — 11:49 |
bitnami/moodle (5.2.x) |
+22h 43m |
Stay Protected
If you are running Apache HTTP Server 2.4.66, upgrade to 2.4.67 immediately. Bitnami users running container images can simply pull the latest version of the relevant image — all catalog images have already been rebuilt with the patched Apache version. No configuration changes are required.
This incident is a clear example of one of the core value propositions of the Bitnami catalog: when a security vulnerability is disclosed upstream, the entire dependency graph is rebuilt and published automatically, giving operators a clear, auditable path to a known-good state — typically within a single business day.