CVE-2026-44119 | Improper Privilege Management vulnerability in Apache HTTP S… | CVSS 5.5 MEDIUM

Description

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. This issue affects Apache HTTP Server: from through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Metadata

CVE ID: CVE-2026-44119
State: PUBLISHED
Assigner: apache
Reserved: 2026-05-05 11:34 UTC
Published: 2026-06-08 15:17 UTC
Last updated: 2026-06-09 11:57 UTC
Primary CWE: CWE-269
CWE-269 Improper Privilege Management
Vendor / Product: Apache Software Foundation / Apache HTTP Server
Sources: cve.org · NVD

Severity & Metrics

5.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Apache Software Foundation	Apache HTTP Server	—	2.4.0 ≤ 2.4.67

Weakness (CWE)

CWE	Source	Description
CWE-269	cna	CWE-269 Improper Privilege Management

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.5	MEDIUM	3.1	adp	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

https://httpd.apache.org/security/vulnerabilities_24.html