Apache Answer: Revision API Improper Access Control leads to Information Disclosure
Description
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.
This issue affects Apache Answer: through 1.7.1.
An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated API endpoint in Apache Answer exposes full revision history of deleted content, leaking restricted or sensitive information.
Vulnerability
Description
CVE-2026-24735 is an exposure of private personal information vulnerability in Apache Answer, a Q&A platform software. The issue resides in an unauthenticated API endpoint that incorrectly exposes the full revision history of deleted content. This design flaw allows any unauthorized user to retrieve restricted or sensitive information that was meant to be removed or hidden. The vulnerability affects all versions of Apache Answer up to and including version 1.7.1 [1][2].
Attack
Vector
The vulnerability can be triggered by an unauthenticated attacker sending requests to the affected API endpoint. No authentication or prior access is required. The endpoint fails to properly enforce access controls for deleted content revision history, meaning that even after a user deletes content, the complete revision history—potentially containing private personal information, proprietary data, or other sensitive details—remains accessible [2]. The attack surface is broad since the API is publicly reachable in default deployments.
Impact
Successful exploitation enables an attacker to read the full revision history of deleted content, which may include personal data, credentials, intellectual property, or other confidential information that users or administrators intended to permanently remove. This is a direct violation of user privacy and data retention policies. The information disclosed could be used for further attacks, identity theft, or corporate espionage [1][2].
Mitigation
The Apache Answer development team has addressed the issue in version 2.0.0, released on 2026-02-04. Users are strongly recommended to upgrade to this version immediately. No workarounds have been published. The vulnerability was discovered and reported by Sho Odagiri of GMO Cybersecurity by Ierae, Inc. [2]. At the time of publication, Apache Answer version 2.0.0 is available from the project's GitHub repository [3] and official website.
- NVD - CVE-2026-24735
- security - CVE-2026-24735: Apache Answer: Revision API Improper Access Control leads to Information Disclosure
- GitHub - apache/answer: A Q&A platform software for teams at any scales. Whether it's a community forum, help center, or knowledge management platform, you can always count on Apache Answer.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/answerGo | < 2.0.0 | 2.0.0 |
Affected products
2- Apache Software Foundation/Apache Answerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5w5r-8xc6-2xhwghsaADVISORY
- lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24735ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/04/1ghsaWEB
News mentions
0No linked articles in our index yet.