oss-sec mailing list archives

CVE-2026-44119: Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules


From: Eric Covener <covener () apache org>
Date: Mon, 08 Jun 2026 12:50:49 +0000

Severity: moderate 

Affected versions:

- Apache HTTP Server 2.4.0 through 2.4.67

Description:

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to 
read files with the privileges of the httpd user.

This issue affects Apache HTTP Server: from through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Credit:

Lucian Nitescu (finder)
as3617 (@real_as3617) at ENKI Whitehat (finder)
Zhang San (finder)
Martin PetrĂ¡k (finder)
joaovicdev (finder)
Rooting | Lucas Torres (finder)
R4mbb of KRsecurity (finder)
gggggggga@Xiaomi ShadowBlade Security Lab (finder)
NikKrian of H3C Security Center(h3c.com) (finder)
lokerxx (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-44119

Timeline:

2026-05-05: reported
2026-06-05: fixed in 2.4.x by r1935017
2026-06-08: 2.4.68 released


Current thread: