CVE-2026-24072: Privilege Escalation in Apache HTTP Server
Platform
apache
Component
apache-http-server
Fixed in
2.4.67
CVE-2026-24072 describes a privilege escalation vulnerability affecting Apache HTTP Server versions 2.4.0 through 2.4.66. This flaw allows local users with the ability to modify .htaccess files to read arbitrary files with the privileges of the httpd user, potentially leading to sensitive data exposure. The vulnerability has been resolved in version 2.4.67, and users are strongly advised to upgrade.
Impact and Attack Scenarios
The primary impact of CVE-2026-24072 is unauthorized file access. An attacker who can modify .htaccess files within a web server directory can leverage this vulnerability to read files that the httpd user has access to. This could include configuration files, log files, or even application source code, depending on the server's setup and file permissions. Successful exploitation could lead to the disclosure of sensitive information, such as database credentials, API keys, or internal system details. The blast radius is limited to systems where .htaccess files are enabled and accessible to local users, but the potential for data compromise remains significant.
Exploitation Context
CVE-2026-24072 was published on May 4, 2026. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. Public proof-of-concept (POC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a POC is released. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
EPSS
0.06% (19% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The recommended mitigation for CVE-2026-24072 is to upgrade Apache HTTP Server to version 2.4.67 or later. If upgrading is not immediately feasible, consider disabling .htaccess files entirely if they are not essential for your application's functionality. Alternatively, restrict the permissions of the httpd user to minimize the potential impact of unauthorized file access. Web Application Firewalls (WAFs) might offer some protection by inspecting .htaccess modifications, but this is not a substitute for patching. After upgrading, verify the fix by attempting to read a protected file via a crafted .htaccess rule; the attempt should fail with a permission denied error.
How to fix
Actualice su instalación de Apache HTTP Server a la versión 2.4.67 o posterior para mitigar este riesgo. La actualización corrige una vulnerabilidad de elevación de privilegios que permite a los autores de .htaccess leer archivos con los privilegios del usuario httpd.
Frequently asked questions
What is CVE-2026-24072 — Privilege Escalation in Apache HTTP Server?
CVE-2026-24072 is a vulnerability in Apache HTTP Server 2.4.0–2.4.66 that allows local .htaccess authors to read files with the privileges of the httpd user, potentially leading to data exposure.
Am I affected by CVE-2026-24072 in Apache HTTP Server?
You are affected if you are running Apache HTTP Server versions 2.4.0 through 2.4.66 and have enabled .htaccess files. Check your version with httpd -v.
How do I fix CVE-2026-24072 in Apache HTTP Server?
Upgrade to Apache HTTP Server version 2.4.67 or later. If upgrading is not possible, disable .htaccess files or restrict the httpd user's permissions.
Is CVE-2026-24072 being actively exploited?
There is currently no indication of active exploitation campaigns, but the vulnerability is likely to be exploited once a proof-of-concept is released.
Where can I find the official Apache HTTP Server advisory for CVE-2026-24072?
Refer to the Apache HTTP Server security announcements page for the official advisory: https://httpd.apache.org/security/.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...