HighPublic exploit

Privilege Escalation in Apache HTTP Server mod_rewrite via .htaccess ap_expr

IdentifiersCVE-2026-24072CWE-269· Improper Privilege Management

CVE-2026-24072 is a privilege escalation vulnerability affecting Apache HTTP Server 2.4.66 and earlier. The flaw is described by Apache as an escalation-of-privilege bug in various modules, with available supporting context specifically identifying mod_rewrite’s use of ap_expr expression evaluation as the relevant attack surface. A local user who is permitted to create or modify .htaccess files can abuse this behavior to cause Apache to read arbitrary files using the privileges of the httpd worker process rather than the attacker’s own local account permissions. In practice, this creates a privilege boundary failure in shared or delegated-hosting scenarios where untrusted or semi-trusted users are allowed to control per-directory rewrite rules through .htaccess.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local .htaccess author to read files accessible to the Apache httpd process, including files the attacker could not normally read with their own account privileges. The primary impact is unauthorized disclosure of sensitive local files and effective privilege escalation to the file-read capabilities of the web server account. This is particularly significant in shared hosting or multi-tenant environments where users can manage .htaccess content but should not have access to broader server-side data.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, audit and restrict which local users are allowed to create or modify .htaccess files, especially in shared hosting environments. Reduce or eliminate delegated control over mod_rewrite rules where untrusted users can influence ap_expr evaluation. Where operationally feasible, disable .htaccess overrides or limit AllowOverride usage to prevent untrusted per-directory rewrite configuration from being processed.

Remediation

Patch, then assume compromise.

Upgrade Apache HTTP Server to version 2.4.67 or later. Apache states that version 2.4.67 fixes CVE-2026-24072, and the fix was committed in the 2.4.x branch as revision r1933350 on 2026-05-04.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

CVE-2026-24072-AnalysisMaturityPoCVerified exploit

Repository is a real proof-of-concept and validation lab for CVE-2026-24072, an Apache HTTP Server local privilege-escalation / information-disclosure issue affecting .htaccess expression handling in 2.4.66 and earlier. It is not an exploit framework module; instead it combines vulnerability analysis, patch diffs, example malicious .htaccess payloads, and a Dockerized test harness that can swap between vulnerable and fixed mod_rewrite builds. Core exploit capability: attacker-controlled .htaccess files use RewriteCond expr with restricted ap_expr primitives (file(), filesize(), -f, -d, -e, -s, -L, -x) to access filesystem information outside normal .htaccess confinement. In vulnerable builds, these expressions are parsed without AP_EXPR_FLAG_RESTRICTED, allowing local users who can write .htaccess files to read arbitrary files or probe filesystem state with httpd's privileges. The strongest included case is tests/htdocs/test/c6/.htaccess, which reads /opt/sentinel/secret.txt and matches SENTINEL_TOKEN to prove content disclosure. Other cases demonstrate existence, directory, non-empty, executable, and symlink probes. Repository structure: documentation files (README.md, CVE-2026-24072-analysis.md, docs/TESTING.md, docs/session/*) explain the bug, patch, and lab design; diff files (mod_rewrite.diff, mod_setenvif.diff, mod_proxy_fcgi.diff) show the fix; examples/ contains exploit.htaccess and safe-expressions.htaccess; docker/Dockerfile builds Apache 2.4.67 plus two swappable mod_rewrite DSOs; scripts/ contains lifecycle, swap, and automated test scripts; tests/conf/httpd.conf and tests/htdocs/test/* provide the vulnerable/fixed validation fixtures; tests/matrix.tsv defines expected outcomes. Operationally, the Docker lab builds Apache 2.4.67, compiles mod_rewrite_fixed.so from 2.4.67 source and mod_rewrite_vuln.so from 2.4.66 source, and swaps the active module via symlink /opt/httpd/modules/mod_rewrite.so. The service listens on port 8080. Automated tests curl /test/c1..c9 and /test/n1..n3, expecting vulnerable builds to return 200 with rewrite-fired indicators and fixed builds to return 500 with 'restricted' errors for restricted expressions while allowing negative-control expressions. The repository also documents related affected modules mod_setenvif and mod_proxy_fcgi via patch diffs, but the runnable lab focuses on mod_rewrite only.

EricRHancock-coderDisclosed May 5, 2026markdownbashlocalwebfile

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationHttp Serverapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

help net securityNews

May 17, 2026

Debian 13.5 point release lands with security fixes, bug patches - Help Net Security

A privilege escalation vulnerability in Apache HTTP Server fixed in Debian 13.5.

thecybersecguruNews

May 5, 2026

Apache HTTP Server RCE Vulnerability: Critical Patch for CVE-2026-23918 | The CyberSec Guru

A privilege escalation and arbitrary file read issue in Apache HTTP Server mod_rewrite that allows a local user with .htaccess write access to read files using httpd process privileges.

cyber security newsNews

May 5, 2026

Critical Apache HTTP Server Flaw Exposes Millions of Servers to Remote Code Execution Attacks

A moderate-severity privilege escalation and arbitrary file read vulnerability in Apache HTTP Server mod_rewrite via ap_expr evaluation.

opennetNews

Dec 25, 2025

� Apache httpd 2.4.67 �� HTTP/2, �� ̣��

High-severity flaw in Apache HTTP Server mod_rewrite that can be triggered via crafted rewrite rules in .htaccess files.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-24072

NVD

nvd.nist.gov/vuln/detail/CVE-2026-24072

MITRE CWE · CWE-269

Improper Privilege Management

Vendor Advisory

httpd.apache.org/security/vulnerabilities_24.html

Third Party Advisory

openwall.com/lists/oss-security/2026/05/04/18