Main Vulnerability Database Vulnerabilities #VU129549

Improper access control in Apache HTTP Server - CVE-2026-24072

Published: May 4, 2026

Vulnerability identifier: #VU129549

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-24072

CWE-ID: CWE-284

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Apache HTTP Server

Software vendor:
Apache Foundation

Description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper access control in various Apache HTTP Server modules when evaluating ap_expr from .htaccess files. A local user can create a crafted .htaccess expression to disclose sensitive information.

The issue affects local .htaccess authors and allows reading files with the privileges of the httpd user.

Remediation

Install security update from vendor's website.

External links

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-24072
https://lists.apache.org/thread/5tg6pwqr0z9hh0v8x9h0ywgs1z3x26l2

Improper access control in Apache HTTP Server - CVE-2026-24072

Description

Remediation

External links

Please verify you're human