Skip to main content

Apache HTTP Server CVE-2026-33006

| EUVDEUVD-2026-26961 MEDIUM
Observable Timing Discrepancy (CWE-208)
2026-05-04 apache
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 19:22 vuln.today
CVSS changed
May 04, 2026 - 19:22 NVD
4.8 (None) 4.8 (MEDIUM)
EUVD ID Assigned
May 04, 2026 - 15:00 euvd
EUVD-2026-26961
CVE Published
May 04, 2026 - 14:42 nvd
N/A

DescriptionCVE.org

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

AnalysisAI

Timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows remote unauthenticated attackers to bypass Digest authentication with high attack complexity. The vulnerability exploits measurable timing differences in digest credential validation, enabling credential compromise without valid authentication. Apache has released patched version 2.4.67; no active exploitation has been confirmed, but CISA SSVC framework indicates automatable exploitation is not feasible due to the timing attack's sensitivity requirements.

Technical ContextAI

Apache HTTP Server's mod_auth_digest module implements RFC 2617 Digest Access Authentication, which uses cryptographic hashing and nonces to avoid transmitting plaintext credentials. The vulnerability resides in CWE-208 (Observable Timing Discrepancy), where the module's credential comparison or nonce validation logic exhibits measurable timing variations depending on the validity of supplied digest values. An attacker can observe response time differences to infer valid authentication parameters, gradually reconstructing valid digest responses. The attack targets the cryptographic security of the digest mechanism itself, not implementation flaws in HTTP parsing or module initialization.

RemediationAI

Upgrade Apache HTTP Server to version 2.4.67 or later, which includes the fix for the mod_auth_digest timing attack. Patch deployment is straightforward: stop the server, replace the binary or rebuild from source with the updated version, and restart. For organizations unable to patch immediately, disable mod_auth_digest (uncomment or remove the LoadModule directive) and migrate to alternative authentication schemes: use mod_auth_basic with TLS-encrypted connections (requires HTTPS), implement OAuth 2.0 via mod_auth_openidc, or restrict Digest authentication to trusted networks via firewall rules or IP whitelisting on the VirtualHost directive. Disabling mod_auth_digest entirely eliminates attack surface but breaks existing Digest-authenticated clients; coordinate with application owners before removal. HTTPS is mandatory if switching to Basic authentication, as Digest's value proposition is avoiding plaintext credential transmission; HTTP Basic over cleartext HTTP would be strictly worse. Monitor vendor advisories at https://httpd.apache.org/security/vulnerabilities_24.html for any cumulative patches.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed

Share

CVE-2026-33006 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy