Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules
Summary
| CVE | CVE-2026-44119 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-08 16:16:40 UTC |
| Updated | 2026-06-08 16:16:40 UTC |
| Description | Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue. |
Risk And Classification
Problem Types: CWE-269 | CWE-269 CWE-269 Improper Privilege Management
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache HTTP Server | affected 2.4.0 2.4.67 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| httpd.apache.org/security/vulnerabilities_24.html | [email protected] | httpd.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Lucian Nitescu (en)
CNA: as3617 (@real_as3617) at ENKI Whitehat (en)
CNA: Zhang San (en)
CNA: Martin Petrák (en)
CNA: joaovicdev (en)
CNA: Rooting | Lucas Torres (en)
CNA: R4mbb of KRsecurity (en)
CNA: gggggggga@Xiaomi ShadowBlade Security Lab (en)
CNA: NikKrian of H3C Security Center(h3c.com) (en)
CNA: lokerxx (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-05-05T12:00:00.000Z | reported |
| CNA | 2026-06-05T12:00:00.000Z | fixed in 2.4.x by r1935017 |
| CNA | 2026-06-08T12:00:00.000Z | 2.4.68 released |
There are currently no legacy QID mappings associated with this CVE.