Cyber Resilience

CVE-2026-34059

High

Published: 04 May 2026

Published
04 May 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0012 30.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34059 is a high-severity Buffer Over-read (CWE-126) vulnerability in Apache Http Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-34059 is a buffer over-read vulnerability (CWE-126) in Apache HTTP Server, affecting all versions through 2.4.66. Published on 2026-05-04, the issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its potential for remote information disclosure without privileges or user interaction.

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity. Exploitation enables remote reading of sensitive data from the server, resulting in high confidentiality impact while leaving integrity and availability unaffected.

Apache recommends upgrading to version 2.4.67, which resolves the vulnerability. Further details are provided in the official Apache HTTP Server vulnerabilities page at https://httpd.apache.org/security/vulnerabilities_24.html and the OSS-Security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/05/04/17.

EU & UK References

Vulnerability details

Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Buffer over-read in public-facing Apache HTTP Server enables remote unauthenticated information disclosure, directly mapping to exploitation of internet-facing applications for data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23918Same product: Apache Http Server
CVE-2026-29168Same product: Apache Http Server
CVE-2026-24072Same product: Apache Http Server
CVE-2026-29169Same product: Apache Http Server
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-40961Same vendor: Apache
CVE-2025-48913Same vendor: Apache

Affected Assets

apache
http server
≤ 2.4.67

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws such as the buffer over-read in Apache HTTP Server through version 2.4.66.

detect

Mandates vulnerability scanning to identify systems running vulnerable Apache HTTP Server versions affected by CVE-2026-34059.

detect

Requires monitoring for information disclosure events resulting from exploitation of the remote buffer over-read vulnerability.

References