Cyber Posture

CVE-2026-24072

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 19.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24072 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the privilege escalation flaw in Apache HTTP Server 2.4.66 and earlier by upgrading to 2.4.67.

AC-6 Least Privilege good match
prevent

Enforces least privilege to restrict local users' ability to author .htaccess files and limits the impact of escalation to httpd user privileges.

CM-6 Configuration Settings good match
prevent

Requires secure configuration settings such as AllowOverride None to prevent exploitation via .htaccess files in web directories.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Direct local privilege escalation via .htaccess manipulation to httpd user context for arbitrary file read (CWE-269).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Deeper analysisAI

CVE-2026-24072 is an escalation of privilege vulnerability in various modules of the Apache HTTP Server versions 2.4.66 and earlier. It allows local users who can author .htaccess files to read arbitrary files using the privileges of the httpd user process. The flaw is classified under CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to low complexity and significant impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by local attackers with low privileges (PR:L), specifically those able to create or modify .htaccess files in web-accessible directories. Successful exploitation enables privilege escalation, allowing reading of files accessible only to the httpd user, such as sensitive configuration data or other restricted system resources. No user interaction is required, and while network accessible, the attack originates locally via .htaccess manipulation.

Apache recommends upgrading to version 2.4.67, which resolves this issue. Additional details are provided in the official Apache HTTP Server vulnerabilities advisory at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2026/05/04/18.

Details

CWE(s)
CWE-269

Affected Products

apache
http server
≤ 2.4.67

CVEs Like This One

CVE-2026-29168Same product: Apache Http Server
CVE-2026-34059Same product: Apache Http Server
CVE-2026-23918Same product: Apache Http Server
CVE-2026-29169Same product: Apache Http Server
CVE-2025-47411Same vendor: Apache
CVE-2025-23015Same vendor: Apache
CVE-2026-40048Same vendor: Apache
CVE-2025-64487Shared CWE-269
CVE-2025-67905Shared CWE-269
CVE-2025-26705Shared CWE-269

References