{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-04T12:37:57Z",
  "bugzilla" : {
    "description" : "Apache HTTP Server: mod_rewrite: Apache HTTP Server: Privilege Escalation via .htaccess file manipulation",
    "id" : "2464941",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464941"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-73",
  "details" : [ "A flaw was found in Apache HTTP Server. This escalation of privilege vulnerability allows local attackers, specifically those with the ability to author .htaccess files, to read sensitive files. This flaw enables unauthorized access to files with the privileges of the httpd user, potentially leading to information disclosure." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-06T00:00:00Z",
    "advisory" : "RHSA-2026:13938",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "httpd-main-2.4.67-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd:2.4/httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-24072\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24072\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2026-24072",
  "mitigation" : {
    "value" : "To prevent local users from exploiting this flaw via .htaccess file manipulation, configure Apache HTTP Server to disable .htaccess overrides. Set `AllowOverride None` within the main server configuration or relevant `<Directory>` blocks. This restricts the ability of local users to alter server settings. After applying this change, the `httpd` service must be reloaded or restarted for the new configuration to take effect.\nExample configuration:\n```\n<Directory \"/var/www/html\">\nAllowOverride None\n</Directory>\n```\nTo apply changes, reload the service:\n`sudo systemctl reload httpd`\nOr restart the service:\n`sudo systemctl restart httpd`",
    "lang" : "en:us"
  },
  "csaw" : false
}