This release updates Apache HTTP Server to v2.4.67, addressing multiple security vulnerabilities and shipping dependency upgrades.

Security Fixes

• CVE-2026-34059: Heap over-read and memory disclosure in mod_proxy_ajp via ajp_parse_data()
• CVE-2026-34032: Heap buffer over-read in mod_proxy_ajp due to missing null-termination check in ajp_msg_get_string()
• CVE-2026-33857: Off-by-one out-of-bounds reads in AJP getter functions (mod_proxy_ajp)
• CVE-2026-33523: HTTP response splitting via malicious status line forwarding across multiple modules
• CVE-2026-33007: Crash in mod_authn_socache via NULL pointer dereference (forward proxy configurations)
• CVE-2026-33006: Timing attack bypass against mod_auth_digest authentication
• CVE-2026-29169: Crash via NULL pointer dereference in mod_dav_lock (indirect lock handling)
• CVE-2026-29168: Unrestricted OCSP response processing in mod_md (resource exhaustion)
• CVE-2026-28780: Heap-based buffer overflow in mod_proxy_ajp via ajp_msg_check_header()
• CVE-2026-24072: Privilege escalation via ap_expr in mod_rewrite (.htaccess)
• CVE-2026-23918: Double free and possible RCE in HTTP/2 on early stream reset

Module updates:

• mod_md updated to v2.6.10 (fixes ARI compatibility, OCSP handling, and certificate renewal reliability)
• mod_http2 updated to v2.0.39 (removes custom memory allocator that caused issues with third-party modules; fixes double-free on stream purge)

Fixed

• Resolved missing ${SRVROOT} entries in conf\extra\httpd-ssl.conf

What’s New

• Fix: Auto-healing is logging uninstalled PHP services, causing logs to consume excessive storage.
• Fix: Symlink sorting issue in the file manager.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

This release patches CVE-2026-42945 ("NGINX Rift") and includes updated extensions to address a heap memory corruption issue.

What's New

• Security: Patched CVE-2026-42945 ("NGINX Rift"), a critical vulnerability affecting NGINX.

Deployment Information

This update is rolling out to all compatible servers. 

Servers with automatic updates enabled will be patched during the regular rollout window.

Important Notes

• ⚠️ If you have disabled automatic updates, we recommend updating manually as soon as possible.
• If you experience any issues after the update, please open a support ticket, and our team can revert your server to the previous version (v1.27.1). We're actively monitoring the rollout. If you notice anything unusual, please let us know so we can investigate. 
• No action is required unless you've disabled automatic updates

RunCloud Agent v2.17.5 (Patch)

What’s New

• Fix: Resolved an issue where symlinks could not be opened with the file manager.

Deployment Information

This update will automatically roll out to all compatible servers within 72 hours.

• No action is required.
• The update installs seamlessly in the background.

RunCloud Agent v2.17.1 (Patch)

What’s New

• Fix: Resolved an auto-healing issue that caused a "database is locked" error.
• Fix: Addressed a File Manager error that occurred in certain edge cases.

Deployment Information

• This update will roll out automatically to all compatible servers within 72 hours.
• No action is required. The update installs seamlessly in the background.
• If your server does not receive the update within this timeframe, please get in touch with our support team for manual assistance.

One week after Copy Fail, another Linux kernel vulnerability has been publicly disclosed. The exploit, called "Dirty Frag", chains two kernel bugs to give any unprivileged user with shell access full root on your server.

The embargo was broken early, so there is no official patch yet, no CVE number, and a working exploit is already public.

Dirty Frag targets three kernel modules: esp4, esp6, and rxrpc. Ubuntu is particularly exposed because rxrpc loads automatically on Ubuntu, while most other distributions do not ship it by default. The Copy Fail fix from last week does not protect against this. Dirty Frag is a completely different attack path and requires its own fix.

What We Decided

Unlike Copy Fail, we did not push this mitigation automatically through the RunCloud agent. This fix disables three kernel modules and could impact servers running IPsec VPN tunnels or AFS. We did not want to risk breaking production servers without the owner's knowledge.

The fix needs to be applied manually. It takes one command and under a minute.

How to Apply the Fix

Before applying, run the pre-check commands to confirm the modules are not actively in use. Full pre-check steps and the one-command fix are in the community post linked below.

The mitigation blocks all three modules from loading, unloads them immediately, and survives reboots. NGINX, PHP, MySQL, SSH, and SSL are unaffected. The only services impacted are IPsec VPN tunnels using ESP mode and AFS.

If anything breaks after applying, the fix is fully reversible with three commands to restore the modules.

Permanent Patch

No official Ubuntu kernel patch is available yet. The embargo broke early, and Ubuntu has not had time to ship one. We are watching their tracker and will update the community thread as soon as a patch lands. Once it does, apply the kernel update, reboot, and remove the mitigation file.

Full Details and Next Steps

For pre-check commands, the full fix, verification steps, and reversal instructions, see our full write-up on our community forum.

The File Manager now supports three new capabilities, including file uploads, one of the most-requested features from the community.

• File uploads: Upload files directly from your browser
• Bulk actions: Select multiple files and folders to change permissions, move, rename, zip, unzip, or delete in one go.
• Move: Relocate files and folders to any directory within your web application.

Note: These features require agent version 2.17.0 or above. Files tracked by Git are protected and will not be modified or deleted, and uploading files currently has a limit of 100MB per file. 

Read the documentation →

A critical Linux kernel vulnerability, CVE-2026-31431 ("Copy Fail"), was publicly disclosed on April 29, 2026. The vulnerability has been present in the Linux kernel since 2017 and affects all major distributions, including Ubuntu 24.04, 22.04, and 20.04. It allows any local user with shell access to escalate privileges to root without requiring special tools or conditions.

What We Did

We deployed an interim mitigation to all reachable servers via the RunCloud agent. It blocks the vulnerable kernel module from loading and closes the attack surface without requiring a reboot. It has been tested against Nginx, PHP, MySQL, SSH, and SSL with no impact on normal operation.

Servers that were offline, had the agent stopped, or had firewall rules blocking agent communication at the time of deployment were not reached automatically.

Permanent Patch

Ubuntu has not released an official patched kernel at the time of writing. Once available, it will appear as a kernel update in your RunCloud dashboard. After applying the update and rebooting, the interim mitigation can be safely removed. Servers that were automatically patched by RunCloud will have the interim fix cleaned up on our end once the official kernel update is confirmed to have been applied.

Track Ubuntu's release here: https://ubuntu.com/security/CVE-2026-31431

Recommended: Keep Security Updates Turned On

Navigate to your Server Settings and confirm that Enable Security Updates is turned on. While enabled by default, confirm that it is enabled on your servers to ensure critical kernel and security patches are automatically applied.

Full Details & Next Steps

For verification steps and instructions on how to manually apply the interim fix, see our full write-up on our community forum.

This release includes a comprehensive set of upstream security patches addressing multiple vulnerabilities across core NGINX modules, improving overall stability and hardening key request-handling paths. 

• Fixed WebDAV module buffer overflow
  Resolved a vulnerability in ngx_http_dav_module where specially crafted requests could cause memory corruption, potentially leading to crashes or arbitrary code execution.
• Fixed MP4 streaming module buffer overflows
  Fixed multiple vulnerabilities in ngx_http_mp4_module where malformed MP4 files or requests could trigger memory corruption and destabilize the server.
• Fixed NULL pointer dereference in authentication methods
  Corrected a flaw in CRAM-MD5 and APOP authentication that could cause NGINX to crash when handling invalid authentication data.
• Fixed injection vulnerability in mail proxy (auth_http and XCLIENT)
  Patched an issue that could allow injection of unintended commands or data during mail authentication or client identification.
• Fixed OCSP validation bypass in stream module
  Closed a gap where SSL certificate revocation checks (OCSP) could be bypassed under certain configurations, improving TLS validation.
• Fixed SSL upstream injection issue
  Resolved a vulnerability that could allow manipulation of data in SSL connections to upstream servers.

We’ve introduced two highly requested features to make managing WordPress on RunCloud more reliable and developer-friendly, without having to manually update your wp-config.php.

Note: Both features require RunCloud Agent version 2.16.9 or later.

Easily Replace WP-Cron with a Server-Side Cron Job

WP-Cron is notoriously a source of missed schedules and unnecessary overhead. So, we’ve now made it easier than ever to replace it with a real server cron job.

What this does:

• Disables the default WordPress pseudo-cron (DISABLE_WP_CRON)
• Creates a server-level cron job that runs every 5 minutes
• Improves reliability for scheduled posts, backups, and other scheduled actions
• Reduces performance overhead from cron checks on every page load

This can be configured both when creating a new WordPress web application, as shown below: 

And, in your web application settings area under WordPress > General Settings, as shown below:

Development Mode Toggle (WP Debug Made Simple)

You can now also easily enable “Development Mode” for WordPress when debugging without having to risk exposing errors to website visitors. 

What this does:

• Enables/disables WordPress debug mode via UI

• Automatically manages:

  • WP_DEBUG
  • WP_DEBUG_LOG
  • WP_DEBUG_DISPLAY (disabled for safety)
  • SCRIPT_DEBUG
• Logs errors to a secure debug.log file
• Keeps errors hidden from visitors by default