Skip to content

Disable unused Apache modules

Severity: highApplies to: Apache httpd 2.4.xApplies to: Apache httpd 2.4.68
The fix
Terminal window
# Debian / Ubuntu
sudo a2dismod status autoindex cgi cgid ldap authnz_ldap info userdir
sudo apachectl -t && sudo systemctl reload apache2
# RHEL / Rocky / Alma — comment the LoadModule lines
sudo vi /etc/httpd/conf.modules.d/00-base.conf

Audit first. The list above is a starting point, not a prescription.

A loaded module is code in the address space of a process that answers requests from the internet. It carries its vulnerabilities whether or not any of your vhosts use it.

The 2026 CVE list makes the point better than any argument:

CVE Module Effect
CVE-2026-23918 mod_http2 Double-free → RCE (CVSS 8.8), 2.4.66 only
CVE-2026-29167 mod_ldap Dangling pointer in per-directory configs, 2.4.0–2.4.67
CVE-2026-49975 mod_http2 Memory exhaustion via crafted HTTP/2, 2.4.17–2.4.67
CVE-2026-24072 mod_rewrite Privilege escalation via .htaccess expressions

mod_ldap is the instructive one. Almost nobody authenticates against LDAP from Apache — yet it is loaded by default on several distributions, and for eighteen months every version from 2.4.0 to 2.4.67 carried a dangling pointer in it. If you never used LDAP, that was a vulnerability you had for free, in exchange for nothing.

mod_cgi / mod_cgid. This is the important one. CGI is what turns file disclosure into remote code execution — it is exactly how CVE-2021-41773 escalated from reading /etc/passwd to running commands. If you serve PHP through PHP-FPM (nearly everyone now) or run an application behind a reverse proxy, you do not need CGI.

mod_status. Publishes a live dashboard of every request in flight. It has its own page because it leaks so much.

mod_autoindex. Generates directory listings when there’s no index file. Disable the module and Options -Indexes becomes belt and braces rather than the only thing standing between a visitor and your file list.

mod_info. Serves your entire configuration at /server-info. There is no scenario where this belongs on a production server.

mod_userdir. Maps /~alice to /home/alice/public_html. If you’re not a 1998 university, turn it off — it also enumerates local usernames by response code.

mod_ldap / mod_authnz_ldap. Loaded by default in places, used almost nowhere.

Be realistic about mod_http2: two of 2026’s CVEs are in it, and the answer is not to disable HTTP/2. It’s to patch. Wanting HTTP/2 means accepting mod_http2 as attack surface and keeping it current — which is why the pillar says patch first and everything else second.

Same for mod_rewrite: nearly every real site needs it. CVE-2026-24072 is only exploitable by someone who can write a .htaccess file, which is why AllowOverride None closes it independently of the module.

The rule isn’t “load less”. It’s “don’t load what you never call”.