CVE-2026-44119

NameCVE-2026-44119
DescriptionImproper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4629-1
Debian Bugs1139340

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)bullseye2.4.62-1~deb11u1vulnerable
bullseye (security)2.4.67-1~deb11u3fixed
bookworm2.4.67-1~deb12u2vulnerable
bookworm (security)2.4.67-1~deb12u3vulnerable
trixie2.4.67-1~deb13u2vulnerable
trixie (security)2.4.67-1~deb13u3vulnerable
forky2.4.67-1vulnerable
sid2.4.68-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebullseye2.4.67-1~deb11u3DLA-4629-1
apache2source(unstable)2.4.68-11139340

Notes

[trixie] - apache2 <no-dsa> (Minor issue)
[bookworm] - apache2 <no-dsa> (Minor issue)
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-44119
Fixed by: https://github.com/apache/httpd/commit/f63f26aff6aa747357b84b5bd09c45325fa7f9ba (2.4.68-rc1-candidate)
Search for package or bug name: Reporting problems