CVE-2026-34059
Published: 04 May 2026
Summary
CVE-2026-34059 is a high-severity Buffer Over-read (CWE-126) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-34059 is a buffer over-read vulnerability (CWE-126) in Apache HTTP Server, affecting all versions through 2.4.66. Published on 2026-05-04, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for remote information disclosure without privileges or user interaction.
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity. Exploitation enables remote reading of sensitive data from the server, resulting in high confidentiality impact while leaving integrity and availability unaffected.
Apache recommends upgrading to version 2.4.67, which resolves the vulnerability. Further details are provided in the official Apache HTTP Server vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/17.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26948
Vulnerability details
Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer over-read in public-facing Apache HTTP Server enables remote unauthenticated information disclosure, directly mapping to exploitation of internet-facing applications for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws such as the buffer over-read in Apache HTTP Server through version 2.4.66.
Mandates vulnerability scanning to identify systems running vulnerable Apache HTTP Server versions affected by CVE-2026-34059.
Requires monitoring for information disclosure events resulting from exploitation of the remote buffer over-read vulnerability.