CVE-2026-33006 PUBLISHED

Apache HTTP Server: mod_auth_digest timing attack

Assigner: apache
Reserved: 17.03.2026 Published: 04.05.2026 Updated: 04.05.2026

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.

Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Product Status

Vendor Apache Software Foundation
Product Apache HTTP Server
Versions Default: unaffected
  • affected from 0 to 2.4.66 (incl.)

Credits

  • Nitescu Lucian finder

References

Problem Types

  • CWE-208 Observable Timing Discrepancy CWE