CVE-2026-44119 PUBLISHED

Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules

Assigner: apache
Reserved: 05.05.2026 Published: 08.06.2026 Updated: 08.06.2026

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

This issue affects Apache HTTP Server: from through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache HTTP Server
Versions	Default: unaffected affected from 2.4.0 to 2.4.67 (incl.)

Credits

Lucian Nitescu finder
as3617 (@real_as3617) at ENKI Whitehat finder
Zhang San finder
Martin Petrák finder
joaovicdev finder
Rooting | Lucas Torres finder
R4mbb of KRsecurity finder
gggggggga@Xiaomi ShadowBlade Security Lab finder
NikKrian of H3C Security Center(h3c.com) finder
lokerxx finder

References

https://httpd.apache.org/security/vulnerabilities_24.html

Problem Types

CWE-269 Improper Privilege Management CWE