Skip to main content

Apache HTTP Server CVE-2026-24072

| EUVDEUVD-2026-26944 HIGH
Improper Privilege Management (CWE-269)
2026-05-04 apache
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 19:22 vuln.today
CVSS changed
May 04, 2026 - 19:22 NVD
8.8 (None) 8.8 (HIGH)
EUVD ID Assigned
May 04, 2026 - 13:00 euvd
EUVD-2026-26944
CVE Published
May 04, 2026 - 12:37 nvd
N/A

DescriptionCVE.org

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

AnalysisAI

Local .htaccess authors can escalate privileges to read arbitrary files as the httpd daemon user in Apache HTTP Server 2.4.66 and earlier. The vulnerability requires low-privilege authenticated access to create or modify .htaccess files, but exploits misconfigured module interactions to bypass intended access controls. Apache has released version 2.4.67 to address this issue. SSVC assessment indicates no active exploitation and non-automatable attack vector, with EPSS data not yet available for this recent disclosure.

Technical ContextAI

Apache HTTP Server uses .htaccess files to allow directory-level configuration overrides when AllowOverride directives permit it. This vulnerability (CWE-269: Improper Privilege Management) affects the interaction between various modules that process .htaccess directives and the file access control mechanisms. When certain module configurations are enabled, malicious .htaccess directives can manipulate how Apache resolves file paths or applies access restrictions, allowing an attacker with .htaccess write permissions to craft directives that cause the httpd process to read files outside the intended document root with the daemon's user privileges. The affected CPE (cpe:2.3:a:apache_software_foundation:apache_http_server) encompasses all versions through 2.4.66 across all platforms where Apache HTTP Server runs.

RemediationAI

Upgrade to Apache HTTP Server 2.4.67 which contains the fix for this privilege escalation issue. The patched version is confirmed available by the Apache Security Team at https://httpd.apache.org/security/vulnerabilities_24.html. For systems that cannot immediately upgrade, implement compensating controls: disable AllowOverride directives in the main httpd.conf configuration to prevent .htaccess file processing entirely (this will break applications relying on .htaccess for URL rewriting, authentication, or other runtime configuration). Alternatively, restrict AllowOverride to specific safe directive categories (e.g., AllowOverride AuthConfig Indexes) rather than AllowOverride All, though the exact vulnerable directives are not disclosed so comprehensive restriction may be needed. Review and restrict file system write permissions to ensure only trusted administrators can create or modify .htaccess files-this limits the attack surface but does not eliminate risk in shared hosting environments. Note that disabling .htaccess processing may impact application functionality including mod_rewrite rules, custom error pages, and directory-specific authentication, requiring migration of critical configurations to main server config files. Monitor httpd error logs for anomalous .htaccess processing attempts as a detection control.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-24072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy