CVE-2026-34059
Published: 04 May 2026
Summary
CVE-2026-34059 is a high-severity Buffer Over-read (CWE-126) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in public-facing Apache HTTP Server enables remote unauthenticated information disclosure, directly mapping to exploitation of internet-facing applications for data access.
NVD Description
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
Deeper analysisAI
CVE-2026-34059 is a buffer over-read vulnerability (CWE-126) in Apache HTTP Server, affecting all versions through 2.4.66. Published on 2026-05-04, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for remote information disclosure without privileges or user interaction.
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity. Exploitation enables remote reading of sensitive data from the server, resulting in high confidentiality impact while leaving integrity and availability unaffected.
Apache recommends upgrading to version 2.4.67, which resolves the vulnerability. Further details are provided in the official Apache HTTP Server vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/17.
Details
- CWE(s)