Description
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

This issue affects Apache HTTP Server: from through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Published: 2026-06-08
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from improper privilege management in Apache HTTP Server 2.4.67 and earlier. Local authors of .htaccess files can exploit expressions to read files that the httpd user normally cannot access. This creates a privilege escalation path that allows the attacker to read privileged or sensitive files, compromising confidentiality and potentially exposing configuration or user data. The weakness aligns with CWE-269.

Affected Systems

The affected product is Apache HTTP Server, on all supported platforms. Any installation running version 2.4.67 or earlier is vulnerable. Versions 2.4.68 and later contain the fix. Affected modules include those that interpret .htaccess expressions.

Risk and Exploitability

The CVSS score is not provided, and the EPSS score is unavailable, indicating no publicly calculated exploitation probability. The vulnerability is local, requiring the attacker to have write access to a .htaccess file in a directory served by Apache. While this limits exposure to attackers who can write configuration files, the ability to read privileged files is a powerful local privilege escalation vector. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation but still presenting a significant risk to local attackers.

Generated by OpenCVE AI on June 8, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache HTTP Server 2.4.68 or later, which removes the ability for .htaccess authors to read files with the httpd user’s privileges.
  • Restrict write permissions to .htaccess and other configuration files so that only trusted administrators can modify them. Move served directories to read‑only ownership where possible.
  • Review your Apache configuration and consider disabling or restricting modules that allow expressions in .htaccess, such as mod_access_compat, to remove the attack surface until a patch is applied.

Generated by OpenCVE AI on June 8, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache http Server
Vendors & Products Apache
Apache http Server

Mon, 08 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
Title Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules
Weaknesses CWE-269
References

Subscriptions

Apache Http Server
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-08T15:17:31.939Z

Reserved: 2026-05-05T11:34:53.172Z

Link: CVE-2026-44119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-08T16:16:40.203

Modified: 2026-06-08T16:16:40.203

Link: CVE-2026-44119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T18:30:16Z

Weaknesses