CVE Vulnerabilities

CVE-2026-24072

Improper Privilege Management

Published: May 04, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.5 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

NameVendorStart VersionEnd Version
Http_serverApache*2.4.67 (excluding)
Red Hat Enterprise Linux 10RedHathttpd-0:2.4.63-13.el10_2.4*
Red Hat Hardened ImagesRedHathttpd-main-2.4.67-0.1.hum1*
Apache2Ubuntudevel*
Apache2Ubuntuesm-infra-legacy/trusty*
Apache2Ubuntuesm-infra-legacy/xenial*
Apache2Ubuntuesm-infra/bionic*
Apache2Ubuntuesm-infra/focal*
Apache2Ubuntuesm-infra/xenial*
Apache2Ubuntujammy*
Apache2Ubuntunoble*
Apache2Ubuntuquesting*
Apache2Ubunturesolute*
Apache2Ubuntuupstream*

Potential Mitigations

References