CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccess
CVE-2026-24072 Published on May 4, 2026

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-24072 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

HIGH

Timeline

2026-01-20

Report received

2026-05-04

fixed in 2.4.x by r1933350 104 days later.

Weakness Type

Improper Privilege Management

The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Products Associated with CVE-2026-24072

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-24072 are published in these products:

Apache HTTP Server

Canonical Ubuntu Linux

Microsoft Http Server

Affected Versions

Apache Software Foundation Apache HTTP Server:

Before and including 2.4.66 is affected.

CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccessCVE-2026-24072 Published on May 4, 2026

Vulnerability Analysis

Timeline

Weakness Type

Improper Privilege Management

Products Associated with CVE-2026-24072

Affected Versions

CVE-2026-24072: Apache HTTPD 2.4.66-2.4.67 Priv Escalation via .htaccess
CVE-2026-24072 Published on May 4, 2026