Cyber Posture

CVE-2026-34059

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 19.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

Security SummaryAI

CVE-2026-34059 is a buffer over-read vulnerability (CWE-126) in Apache HTTP Server, affecting all versions through 2.4.66. Published on 2026-05-04, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for remote information disclosure without privileges or user interaction.

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity. Exploitation enables remote reading of sensitive data from the server, resulting in high confidentiality impact while leaving integrity and availability unaffected.

Apache recommends upgrading to version 2.4.67, which resolves the vulnerability. Further details are provided in the official Apache HTTP Server vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/17.

Details

CWE(s)
CWE-126

Affected Products

apache
http server
≤ 2.4.67

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Buffer over-read in public-facing Apache HTTP Server enables remote unauthenticated information disclosure, directly mapping to exploitation of internet-facing applications for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References