CVE-2026-24072

Published May 4, 2026

Last updated a month ago

CVSS high 8.8

Overview

Description
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Source
security@apache.org
NVD status
Analyzed
Products
http_server

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-269

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. IBM HTTP Server 8.5, and 9.0CVE-2026-9170
  2. IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module mod_mem_cache.CVE-2026-8854
  3. IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service in configurations where an attacker has write access to parts of the server configuration.CVE-2026-8856
  4. IBM HTTP Server 8.5, and 9.0 is vulnerable to remote code execution and denial of service in configurations with TLS mutual authentication (client authentication).CVE-2026-8855
  5. IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service.CVE-2026-8835

References

Sources include official advisories and independent security research.