| Name | CVE-2026-24072 |
| Description | An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1135737 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | bullseye | 2.4.62-1~deb11u1 | vulnerable |
| bullseye (security) | 2.4.66-1~deb11u1 | vulnerable | |
| bookworm | 2.4.66-1~deb12u1 | vulnerable | |
| bookworm (security) | 2.4.62-1~deb12u2 | vulnerable | |
| trixie | 2.4.66-1~deb13u2 | vulnerable | |
| forky, sid | 2.4.66-8 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| apache2 | source | (unstable) | 2.4.67-1 | 1135737 |
https://www.openwall.com/lists/oss-security/2026/05/04/18
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2026-24072
https://github.com/apache/httpd/commit/05e6c5086d6792b9105f88e1664b2614087f79d5 (2.4.67-rc1-candidate)