Disable unused Apache modules
# Debian / Ubuntusudo a2dismod status autoindex cgi cgid ldap authnz_ldap info userdirsudo apachectl -t && sudo systemctl reload apache2
# RHEL / Rocky / Alma — comment the LoadModule linessudo vi /etc/httpd/conf.modules.d/00-base.confAudit first. The list above is a starting point, not a prescription.
Why it matters
Section titled “Why it matters”A loaded module is code in the address space of a process that answers requests from the internet. It carries its vulnerabilities whether or not any of your vhosts use it.
The 2026 CVE list makes the point better than any argument:
| CVE | Module | Effect |
|---|---|---|
| CVE-2026-23918 | mod_http2 |
Double-free → RCE (CVSS 8.8), 2.4.66 only |
| CVE-2026-29167 | mod_ldap |
Dangling pointer in per-directory configs, 2.4.0–2.4.67 |
| CVE-2026-49975 | mod_http2 |
Memory exhaustion via crafted HTTP/2, 2.4.17–2.4.67 |
| CVE-2026-24072 | mod_rewrite |
Privilege escalation via .htaccess expressions |
mod_ldap is the instructive one. Almost nobody authenticates against LDAP from
Apache — yet it is loaded by default on several distributions, and for eighteen
months every version from 2.4.0 to 2.4.67 carried a dangling pointer in it. If you
never used LDAP, that was a vulnerability you had for free, in exchange for
nothing.
The ones worth turning off
Section titled “The ones worth turning off”mod_cgi / mod_cgid. This is the important one. CGI is what turns file
disclosure into remote code execution — it is exactly how
CVE-2021-41773 escalated from reading /etc/passwd to
running commands. If you serve PHP through PHP-FPM (nearly everyone now) or run an
application behind a reverse proxy, you do not need CGI.
mod_status. Publishes a live dashboard of every request in flight. It has
its own page because it leaks so much.
mod_autoindex. Generates directory listings
when there’s no index file. Disable the module and Options -Indexes becomes
belt and braces rather than the only thing standing between a visitor and your
file list.
mod_info. Serves your entire configuration at /server-info. There is no
scenario where this belongs on a production server.
mod_userdir. Maps /~alice to /home/alice/public_html. If you’re not a
1998 university, turn it off — it also enumerates local usernames by response
code.
mod_ldap / mod_authnz_ldap. Loaded by default in places, used almost
nowhere.
What you can’t turn off
Section titled “What you can’t turn off”Be realistic about mod_http2: two of 2026’s CVEs are in it, and the answer is
not to disable HTTP/2. It’s to patch. Wanting HTTP/2 means accepting
mod_http2 as attack surface and keeping it current — which is why
the pillar says patch first and everything else second.
Same for mod_rewrite: nearly every real site needs it. CVE-2026-24072 is only
exploitable by someone who can write a .htaccess file, which is why
AllowOverride None closes it independently of the
module.
The rule isn’t “load less”. It’s “don’t load what you never call”.
Related
Section titled “Related”- Protect server-status — mod_status specifically.
- The Apache path traversal — why mod_cgi is the one that matters.