Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-04T12:37:57 Apache HTTP Server: mod_rewrite: Apache HTTP Server: Privilege Escalation via .htaccess file manipulation 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-73

A flaw was found in Apache HTTP Server. This escalation of privilege vulnerability allows local attackers, specifically those with the ability to author .htaccess files, to read sensitive files. This flaw enables unauthorized access to files with the privileges of the httpd user, potentially leading to information disclosure.

To prevent local users from exploiting this flaw via .htaccess file manipulation, configure Apache HTTP Server to disable .htaccess overrides. Set `AllowOverride None` within the main server configuration or relevant `<Directory>` blocks. This restricts the ability of local users to alter server settings. After applying this change, the `httpd` service must be reloaded or restarted for the new configuration to take effect. Example configuration: ``` <Directory "/var/www/html"> AllowOverride None </Directory> ``` To apply changes, reload the service: `sudo systemctl reload httpd` Or restart the service: `sudo systemctl restart httpd` Red Hat Enterprise Linux 10 Fix deferred httpd Red Hat Enterprise Linux 6 Fix deferred httpd Red Hat Enterprise Linux 7 Fix deferred httpd Red Hat Enterprise Linux 8 Fix deferred httpd:2.4/httpd Red Hat Enterprise Linux 9 Fix deferred httpd Red Hat Hardened Images Affected httpd https://www.cve.org/CVERecord?id=CVE-2026-24072 https://nvd.nist.gov/vuln/detail/CVE-2026-24072 https://httpd.apache.org/security/vulnerabilities_24.html