CVE Vulnerabilities

CVE-2026-33006

Observable Timing Discrepancy

Published: May 04, 2026 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.8 MODERATE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Weakness

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Affected Software

NameVendorStart VersionEnd Version
Http_serverApache*2.4.67 (excluding)
Red Hat Enterprise Linux 10RedHathttpd-0:2.4.63-13.el10_2.4*
Red Hat Hardened ImagesRedHathttpd-main-2.4.67-1.hum1*
Apache2Ubuntudevel*
Apache2Ubuntuesm-infra/xenial*
Apache2Ubuntujammy*
Apache2Ubuntunoble*
Apache2Ubuntuquesting*
Apache2Ubunturesolute*
Apache2Ubuntuupstream*

References