Cyber Resilience

CVE-2026-24735

High

Published: 04 February 2026

Published
04 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 7.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24735 is a high-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Apache Answer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-24735 is an Exposure of Private Personal Information to an Unauthorized Actor vulnerability (CWE-359) affecting Apache Answer versions through 1.7.1. The issue stems from an unauthenticated API endpoint that incorrectly exposes the full revision history for deleted content, enabling unauthorized access to restricted or sensitive information. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges, user interaction, or elevated scope.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. By accessing the affected API endpoint, they can retrieve the complete revision history of deleted content, potentially exposing private personal information or other sensitive data that users intended to remove.

Apache advisories recommend upgrading to version 2.0.0, which resolves the issue. Further details are available in the Apache mailing list announcement at https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60 and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/02/04/1.

EU & UK References

Vulnerability details

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or…

more

sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Unauthenticated remote API access in public-facing Apache Answer web app directly enables T1190 (Exploit Public-Facing Application) for initial data access; resulting retrieval of sensitive/deleted content history maps to T1005 (Data from Local System).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68493Same vendor: Apache
CVE-2026-24308Same vendor: Apache
CVE-2025-50151Same vendor: Apache
CVE-2025-29847Same vendor: Apache
CVE-2025-23195Same vendor: Apache
CVE-2025-27553Same vendor: Apache
CVE-2025-66518Same vendor: Apache
CVE-2026-48827Same vendor: Apache
CVE-2026-22444Same vendor: Apache
CVE-2026-46586Same vendor: Apache

Affected Assets

apache
answer
≤ 2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the unauthenticated API endpoint to prevent unauthorized access to full revision history of deleted content containing sensitive information.

prevent

Prohibits retrieval of restricted revision history without identification and authentication, directly addressing the exposure via the unauthenticated endpoint.

prevent

Requires timely identification, reporting, and correction of the vulnerability through upgrade to version 2.0.0, eliminating the improper exposure of private information.

References