CVE-2026-44119 (GCVE-0-2026-44119)
Vulnerability from cvelistv5
Published
2026-06-08 15:17
Modified
2026-06-09 11:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.
This issue affects Apache HTTP Server: from through 2.4.67.
Users are recommended to upgrade to version 2.4.68, which fixes the issue.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache HTTP Server |
Version: 2.4.0 ≤ 2.4.67 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-08T22:32:29.788Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/08/11"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-44119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T11:57:06.913774Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T11:57:10.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache HTTP Server",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.4.67",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucian Nitescu"
},
{
"lang": "en",
"type": "finder",
"value": "as3617 (@real_as3617) at ENKI Whitehat"
},
{
"lang": "en",
"type": "finder",
"value": "Zhang San"
},
{
"lang": "en",
"type": "finder",
"value": "Martin Petr\u00e1k"
},
{
"lang": "en",
"type": "finder",
"value": "joaovicdev"
},
{
"lang": "en",
"type": "finder",
"value": "Rooting | Lucas Torres"
},
{
"lang": "en",
"type": "finder",
"value": "R4mbb of KRsecurity"
},
{
"lang": "en",
"type": "finder",
"value": "gggggggga@Xiaomi ShadowBlade Security Lab"
},
{
"lang": "en",
"type": "finder",
"value": "NikKrian of H3C Security Center(h3c.com)"
},
{
"lang": "en",
"type": "finder",
"value": "lokerxx"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from through 2.4.67.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.68, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\n\nThis issue affects Apache HTTP Server: from through 2.4.67.\n\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T15:17:31.939Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://httpd.apache.org/security/vulnerabilities_24.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-05T12:00:00.000Z",
"value": "reported"
},
{
"lang": "en",
"time": "2026-06-05T12:00:00.000Z",
"value": "fixed in 2.4.x by r1935017"
},
{
"lang": "eng",
"time": "2026-06-08T12:00:00.000Z",
"value": "2.4.68 released"
}
],
"title": "Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-44119",
"datePublished": "2026-06-08T15:17:31.939Z",
"dateReserved": "2026-05-05T11:34:53.172Z",
"dateUpdated": "2026-06-09T11:57:10.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44119\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-09T11:57:06.913774Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-06-09T11:56:44.983Z\"}}], \"cna\": {\"title\": \"Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Lucian Nitescu\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"as3617 (@real_as3617) at ENKI Whitehat\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Zhang San\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Martin Petr\\u00e1k\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"joaovicdev\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Rooting | Lucas Torres\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"R4mbb of KRsecurity\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"gggggggga@Xiaomi ShadowBlade Security Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"NikKrian of H3C Security Center(h3c.com)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"lokerxx\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache HTTP Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.4.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.4.67\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-05T12:00:00.000Z\", \"value\": \"reported\"}, {\"lang\": \"en\", \"time\": \"2026-06-05T12:00:00.000Z\", \"value\": \"fixed in 2.4.x by r1935017\"}, {\"lang\": \"eng\", \"time\": \"2026-06-08T12:00:00.000Z\", \"value\": \"2.4.68 released\"}], \"references\": [{\"url\": \"https://httpd.apache.org/security/vulnerabilities_24.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\\n\\nThis issue affects Apache HTTP Server: from through 2.4.67.\\n\\nUsers are recommended to upgrade to version 2.4.68, which fixes the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eImproper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.\u003c/p\u003e\u003cp\u003eThis issue affects Apache HTTP Server: from through 2.4.67.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.4.68, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-06-08T15:17:31.939Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-44119\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-08T22:32:29.788Z\", \"dateReserved\": \"2026-05-05T11:34:53.172Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-06-08T15:17:31.939Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…