CVE-2026-24072
Published: 04 May 2026
Description
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Access supervision ensures privileges are assigned and managed without improper escalation or retention.
Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.
Enforces proper privilege management by requiring all decisions through the verified reference monitor.
By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
Security SummaryAI
CVE-2026-24072 is an escalation of privilege vulnerability in various modules of the Apache HTTP Server versions 2.4.66 and earlier. It allows local users who can author .htaccess files to read arbitrary files using the privileges of the httpd user process. The flaw is classified under CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to low complexity and significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by local attackers with low privileges (PR:L), specifically those able to create or modify .htaccess files in web-accessible directories. Successful exploitation enables privilege escalation, allowing reading of files accessible only to the httpd user, such as sensitive configuration data or other restricted system resources. No user interaction is required, and while network accessible, the attack originates locally via .htaccess manipulation.
Apache recommends upgrading to version 2.4.67, which resolves this issue. Additional details are provided in the official Apache HTTP Server vulnerabilities advisory at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2026/05/04/18.
Details
- CWE(s)