CVE 8.8 HIGH

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr_CVE-2026-24072

May 4, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

AI Analysis

Escalation of privilege bug in Apache HTTP Server via mod_rewrite elevation of privileges

Basic Information

ID CVE-2026-24072

Source apache

Published May 4, 2026 at 12:37

Modified May 4, 2026 at 18:23

Affected Product

Vendor Apache Software Foundation

Product Apache HTTP Server

Version 2.4.66 and earlier

Affected Versions Apache Software Foundation Apache HTTP Server 0

CWE Classification

CWE-269

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Apache Foundation

Product Apache HTTP Server

Version 2.4.66 and earlier

References

httpd.apache.org /security/vulnerabilities_24.html

{
    "lastseen": "",
    "description": "An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\n\nUsers are recommended to upgrade to version 2.4.67, which fixes this issue.",
    "published": "2026-05-04T12:37:57.673Z",
    "modified": "2026-05-04T18:23:43.614Z",
    "type": "cve",
    "title": "Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr",
    "source": "apache",
    "references": "https://httpd.apache.org/security/vulnerabilities_24.html",
    "id": "CVE-2026-24072",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache HTTP Server 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache HTTP Server",
    "version": "2.4.66 and earlier",
    "vendor": "Apache Software Foundation",
    "ai_description": "Escalation of privilege bug in Apache HTTP Server via mod_rewrite elevation of privileges",
    "ai_severity": "High",
    "ai_vendor": "Apache Foundation",
    "ai_product": "Apache HTTP Server",
    "ai_version": "2.4.66 and earlier",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply