--- httpd-2.4.66/modules/proxy/mod_proxy_fcgi.c	2026-05-05 14:45:40
+++ httpd-2.4.67/modules/proxy/mod_proxy_fcgi.c	2026-05-05 14:45:40
@@ -1338,9 +1338,15 @@
     const char *err;
     sei_entry *new;
     const char *envvar = arg2;
+    unsigned int flags = 0;
+
+    /* Use restricted ap_expr() parser in htaccess context. */
+    if (cmd->pool == cmd->temp_pool) {
+        flags |= AP_EXPR_FLAG_RESTRICTED;
+    }
 
     new = apr_array_push(dconf->env_fixups);
-    new->cond = ap_expr_parse_cmd(cmd, arg1, 0, &err, NULL);
+    new->cond = ap_expr_parse_cmd(cmd, arg1, flags, &err, NULL);
     if (err) {
         return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
                             arg1, err);
@@ -1367,7 +1373,8 @@
             arg3 = "";
         }
 
-        new->subst = ap_expr_parse_cmd(cmd, arg3, AP_EXPR_FLAG_STRING_RESULT, &err, NULL);
+        flags |= AP_EXPR_FLAG_STRING_RESULT;
+        new->subst = ap_expr_parse_cmd(cmd, arg3, flags, &err, NULL);
         if (err) {
             return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
                                 arg3, err);