Apache HTTP Server: escalation of privilege through expressions in .htaccess in multiple modules
CVE-2026-44119

5.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Http Server
Vendor: CVE Published:; 8 June 2026

What is CVE-2026-44119?

Improper Privilege Management vulnerability in Apache HTTP Server 2.4.67 and earlier allows local .htaccess authors to read files with the privileges of the httpd user.

This issue affects Apache HTTP Server: from through 2.4.67.

Users are recommended to upgrade to version 2.4.68, which fixes the issue.

Affected Version(s)

Apache HTTP Server 2.4.0 <= 2.4.67

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 8, 2026
Vulnerability Reserved
May 5, 2026

Credit

Lucian Nitescu

as3617 (@real_as3617) at ENKI Whitehat

Zhang San

Martin Petrák

joaovicdev

Rooting | Lucas Torres

R4mbb of KRsecurity

gggggggga@Xiaomi ShadowBlade Security Lab

NikKrian of H3C Security Center(h3c.com)

lokerxx

CVE-2026-44119 Data

JSON