Description
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Published: 2026-05-04
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A timing attack targeting the mod_auth_digest module of Apache HTTP Server allows a remote attacker to bypass Digest authentication by measuring response times. The flaw is a CWE-208 side‑channel vulnerability, letting attackers infer credential information and register as authenticated users without valid credentials, undermining the integrity of authentication controls.

Affected Systems

The vulnerable product is Apache HTTP Server from Apache Software Foundation. Versions 2.4.66 and earlier contain mod_auth_digest with the timing flaw; any deployment using these releases is affected.

Risk and Exploitability

The CVSS score of 4.8 indicates medium severity. The vulnerability is not listed in the CISA KEV catalog, and no EPSS data is available, so the exact exploitation probability is unknown. Nevertheless, the ability to defeat authentication remotely makes the attack especially concerning. The likely attack vector is remote, with an attacker sending repeated authenticated requests to observe timing differences.

Generated by OpenCVE AI on May 4, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache HTTP Server to version 2.4.67 or later to receive the fix.
  • If an upgrade is not immediately possible, disable or remove the mod_auth_digest module to eliminate the vulnerable code path.
  • Consider switching to a stronger authentication mechanism such as TLS client certificates or OAuth to avoid reliance on digest authentication.

Generated by OpenCVE AI on May 4, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache http Server
CPEs cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
Vendors & Products Apache http Server

Mon, 04 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 04 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache apache Http Server
Vendors & Products Apache
Apache apache Http Server

Mon, 04 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Title Apache HTTP Server: mod_auth_digest timing attack
Weaknesses CWE-208
References

Subscriptions

Apache Apache Http Server Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-04T18:23:55.292Z

Reserved: 2026-03-17T16:42:48.946Z

Link: CVE-2026-33006

cve-icon Vulnrichment

Updated: 2026-05-04T17:32:47.129Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T15:16:03.977

Modified: 2026-05-04T20:23:31.303

Link: CVE-2026-33006

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:15:06Z

Weaknesses