CVE-2026-24072EXPLOITEDPATCHED

apache software foundation · apache http server

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache http server	0

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (2 articles)

Tier C

oss-security3h ago

CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

→ No new info (linked only)

Tier C

VulDB5h ago

CVE-2026-24072 | Apache HTTP Server up to 2.4.66 .htaccess privileges management

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.4.67

CWECWE-269

PublishedMay 4, 2026

Last enriched2h agov3

Trending Score51

Source articles2

Independent2

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34032EXP

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Trending: 64

NONECVE-2026-33006EXP

Apache HTTP Server: mod_auth_digest timing attack

Trending: 51

HIGHCVE-2026-29169

Apache HTTP Server: mod_dav_lock indirect lock crash

Trending: 48

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Trending: 48

MEDIUMCVE-2026-33857

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Trending: 44

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Updated: description, severity, cvssEstimate, patchAvailable

May 4, 2026

Updated: description, severity, exploitAvailable, activelyExploited

May 4, 2026

Actively Exploited

May 4, 2026

Exploit Available

May 4, 2026

Patch Available

May 4, 2026

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated description with more technical detail, changed severity to MEDIUM, and marked exploit as available and actively exploited.

descriptionseverityexploitAvailableactivelyExploited

via oss-security

v2Tier C4h ago

Updated description with more technical detail, changed severity to HIGH, set CVSS estimate to 7.5, and updated patch available to version 2.4.67.

descriptionseveritycvssEstimatepatchAvailable

via VulDB

v16h ago

Initial creation