CVE-2026-24072

CVE-2026-24072: Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Vendor Apache Software Foundation

Product Apache HTTP Server

Weakness CWE-269

Published May 4, 2026

Last update May 5, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Key dates

Disclosure timeline

May 4, 2026 CVE published

May 5, 2026 Record updated