Cyber Resilience

CVE-2026-24072

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0065 46.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24072 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-24072 is an escalation of privilege vulnerability in various modules of the Apache HTTP Server versions 2.4.66 and earlier. It allows local users who can author .htaccess files to read arbitrary files using the privileges of the httpd user process. The flaw is classified under CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to low complexity and significant impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by local attackers with low privileges (PR:L), specifically those able to create or modify .htaccess files in web-accessible directories. Successful exploitation enables privilege escalation, allowing reading of files accessible only to the httpd user, such as sensitive configuration data or other restricted system resources. No user interaction is required, and while network accessible, the attack originates locally via .htaccess manipulation.

Apache recommends upgrading to version 2.4.67, which resolves this issue. Additional details are provided in the official Apache HTTP Server vulnerabilities advisory at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2026/05/04/18.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct local privilege escalation via .htaccess manipulation to httpd user context for arbitrary file read (CWE-269).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29169Same product: Apache Http Server
CVE-2026-29168Same product: Apache Http Server
CVE-2026-34059Same product: Apache Http Server
CVE-2026-23918Same product: Apache Http Server
CVE-2025-47411Same vendor: Apache
CVE-2025-23015Same vendor: Apache
CVE-2026-40048Same vendor: Apache
CVE-2026-23896Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2025-2858Shared CWE-269

Affected Assets

apache
http server
≤ 2.4.67

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the privilege escalation flaw in Apache HTTP Server 2.4.66 and earlier by upgrading to 2.4.67.

prevent

Enforces least privilege to restrict local users' ability to author .htaccess files and limits the impact of escalation to httpd user privileges.

prevent

Requires secure configuration settings such as AllowOverride None to prevent exploitation via .htaccess files in web directories.

References