CVE-2026-24072: .htaccess File Read in Apache HTTP Server
Plattform
apache
Komponente
apache-http-server
Behoben in
2.4.67
CVE-2026-24072 is a privilege escalation vulnerability discovered in Apache HTTP Server. It allows local .htaccess authors to read files with the privileges of the httpd user. This can lead to the exposure of sensitive information stored on the server. The vulnerability affects versions 2.4.0 through 2.4.66, and a fix is available in version 2.4.67.
Auswirkungen und Angriffsszenarien
An attacker exploiting CVE-2026-24072 could potentially read sensitive files on the server by crafting malicious .htaccess directives. This could include configuration files, database credentials, or other confidential data. The attacker needs to have the ability to modify .htaccess files, which is typically granted to web application developers or administrators. The blast radius is limited to the files accessible by the httpd user, but the potential impact can be significant depending on the data exposed. This vulnerability shares similarities with other .htaccess-based privilege escalation exploits, highlighting the importance of careful configuration and access control.
Ausnutzungskontext
CVE-2026-24072 was published on 2026-05-04. Public proof-of-concept (POC) code is not yet available. The vulnerability's EPSS score is pending evaluation. There are no known active campaigns targeting this vulnerability at this time. Refer to the Apache security advisory for further details.
Bedrohungsanalyse
Exploit-Status
EPSS
0.06% (19% Perzentil)
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The recommended mitigation for CVE-2026-24072 is to upgrade Apache HTTP Server to version 2.4.67 or later. If an immediate upgrade is not possible, restrict access to .htaccess files to authorized personnel only. Implement strict file permissions to limit the httpd user's access to sensitive data. Consider using a Web Application Firewall (WAF) to detect and block malicious .htaccess directives. After upgrading, verify the fix by attempting to read a restricted file using a crafted .htaccess directive; the attempt should be denied.
So behebenwird übersetzt…
Actualice su instalación de Apache HTTP Server a la versión 2.4.67 o posterior para mitigar este riesgo. La actualización corrige una vulnerabilidad de elevación de privilegios que permite a los autores de .htaccess leer archivos con los privilegios del usuario httpd.
Häufig gestellte Fragen
Was ist CVE-2026-24072 in Apache HTTP Server?
It's a privilege escalation bug in Apache HTTP Server allowing .htaccess authors to read files.
Bin ich von CVE-2026-24072 in Apache HTTP Server betroffen?
If you're running Apache HTTP Server versions 2.4.0 through 2.4.66, you are potentially affected.
Wie behebe ich CVE-2026-24072 in Apache HTTP Server?
Upgrade to Apache HTTP Server version 2.4.67 or later to resolve the vulnerability.
Wird CVE-2026-24072 aktiv ausgenutzt?
Currently, there are no known active campaigns exploiting this vulnerability, but it's important to address it proactively.
Wo finde ich den offiziellen Apache HTTP Server-Hinweis für CVE-2026-24072?
Refer to the official Apache security advisory for detailed information and updates.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...