High severity8.8NVD Advisory· Published May 4, 2026· Updated May 4, 2026

CVE-2026-24072

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Affected products

Apache/Http Server
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Range: <2.4.67

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/04/18nvdMailing ListThird Party Advisory
httpd.apache.org/security/vulnerabilities_24.htmlnvdVendor Advisory

News mentions

Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000