Home

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

PUBLISHED Reserved 2026-01-21 | Published 2026-05-04 | Updated 2026-05-05 | Assigner apache

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

Any version
affected

Timeline

2026-01-20:Report received
2026-05-04:fixed in 2.4.x by r1933350

Credits

y7syeu finder

References

www.openwall.com/lists/oss-security/2026/05/04/18

httpd.apache.org/security/vulnerabilities_24.html vendor-advisory

cve.org (CVE-2026-24072)

nvd.nist.gov (CVE-2026-24072)

Download JSON