CVE-2026-24072
Published: 04 May 2026
Summary
CVE-2026-24072 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Apache Http Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 46.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Deeper analysis
CVE-2026-24072 is an escalation of privilege vulnerability in various modules of the Apache HTTP Server versions 2.4.66 and earlier. It allows local users who can author .htaccess files to read arbitrary files using the privileges of the httpd user process. The flaw is classified under CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to low complexity and significant impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by local attackers with low privileges (PR:L), specifically those able to create or modify .htaccess files in web-accessible directories. Successful exploitation enables privilege escalation, allowing reading of files accessible only to the httpd user, such as sensitive configuration data or other restricted system resources. No user interaction is required, and while network accessible, the attack originates locally via .htaccess manipulation.
Apache recommends upgrading to version 2.4.67, which resolves this issue. Additional details are provided in the official Apache HTTP Server vulnerabilities advisory at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list post at http://www.openwall.com/lists/oss-security/2026/05/04/18.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26944
Vulnerability details
An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via .htaccess manipulation to httpd user context for arbitrary file read (CWE-269).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the privilege escalation flaw in Apache HTTP Server 2.4.66 and earlier by upgrading to 2.4.67.
Enforces least privilege to restrict local users' ability to author .htaccess files and limits the impact of escalation to httpd user privileges.
Requires secure configuration settings such as AllowOverride None to prevent exploitation via .htaccess files in web directories.