Question
Is UCS affected by CVE-2026-23918?
https://forge.univention.org/bugzilla/show_bug.cgi?id=59264
Answer
You can check if your system is affected by CVE-2026-23918 as follows:
- Check if your version is already patched
The CVE is only relevant up to UCS 5.2 errata < pending > / UCS 5.0 errata < pending >. Newer versions should already have received a corresponding update.
Older versions are only affected, if http/2 has been manually enabled. This means, that UCS is not affected by the CVE by default, but only after manual configuration. This can be checked by:
root@ucs-9658:~# apache2ctl -t -D DUMP_MODULES | grep http2
http2_module (shared)
If the http/2 module is listed and the version affected while no update possible, http/2 might disabled by a2dismod http2