CVE-2026-24072

HIGH8.8EPSS 0.02%

Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Published: 5/4/2026Modified: 5/5/2026

Also known as:ALPINE-CVE-2026-24072BIT-apache-2026-24072

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Affected packages (3)

Alpine/apache2from 0, < 2.4.67-r0
Bitnami/apachefrom 0, < 2.4.67
Debian/apache2from 0, < 2.4.67-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2026-24072
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-24072
WEBhttps://httpd.apache.org/security/vulnerabilities_24.html
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2026-24072
WEBhttp://www.openwall.com/lists/oss-security/2026/05/04/18