CVE-2026-33006EXPLOITEDPATCHED

Apache Software Foundation · Apache HTTP Server

Apache HTTP Server: mod_auth_digest timing attack

Description

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache HTTP Server	0

References

https://httpd.apache.org/security/vulnerabilities_24.html(vendor-advisory)

Related News (2 articles)

Tier C

oss-security2h ago

CVE-2026-33006: Apache HTTP Server: mod_auth_digest timing attack

→ No new info (linked only)

Tier C

VulDB4h ago

CVE-2026-33006 | Apache HTTP Server up to 2.4.66 mod_auth_digest timing discrepancy

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.4.67

CWECWE-208

PublishedMay 4, 2026

Last enriched2h agov3

Trending Score51

Source articles2

Independent2

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34032EXP

Apache HTTP Server: mod_proxy_ajp: Heap Buffer Over-Read Due to Missing Null-Termination Check (ajp_msg_get_string)

Trending: 64

NONECVE-2026-24072EXP

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Trending: 51

HIGHCVE-2026-29169

Apache HTTP Server: mod_dav_lock indirect lock crash

Trending: 48

HIGHCVE-2026-34059

Apache HTTP Server: mod_proxy_ajp: Heap Over-Read and memory disclosure in ajp_parse_data()

Trending: 48

MEDIUMCVE-2026-33857

Apache HTTP Server: Off-by-one OOB reads in AJP getter functions

Trending: 44

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 4, 2026

Discovered by ZDM

May 4, 2026

Updated: cvssEstimate

May 4, 2026

Updated: severity, affectedVersions, exploitAvailable, activelyExploited, patchAvailable

May 4, 2026

Actively Exploited

May 4, 2026

Exploit Available

May 4, 2026

Patch Available

May 4, 2026

Version History

Last enriched 2h ago

v3Tier C2h ago

Updated severity to MEDIUM, marked exploit as available, and noted active exploitation.

severityaffectedVersionsexploitAvailableactivelyExploitedpatchAvailable

via oss-security

v2Tier C4h ago

Updated description with more technical detail, changed severity to HIGH, set CVSS estimate to 7.5, and noted that no exploit is available.

cvssEstimate

via VulDB

v14h ago

Initial creation