CVE-2026-24072 — Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr

Description

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

How to fix CVE-2026-24072

To remediate CVE-2026-24072, upgrade the affected package to a fixed version below.

—upgrade to 2.4.67-r0 or later
—upgrade to 2.4.67 or later
—upgrade to 2.4.67-1~deb11u1 or later

Is CVE-2026-24072 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.4.67-r0
from 0, < 2.4.67
from 0, < 2.4.67-1~deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-24072
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-24072
WEBhttpd.apache.org/security/vulnerabilities_24.html
WEBnvd.nist.gov/vuln/detail/CVE-2026-24072
WEB