CVE-2026-33006

Published: May 5, 2026Last modified: May 6, 2026

Description

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Severity score breakdown

ParameterValue
Base score4.8
Attack VectorNETWORK
Attack complexityHIGH
Privileges requiredNONE
User interactionNONE
ScopeUNCHANGED
ConfidentialityLOW
Integrity impactLOW
Availability impactNONE
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSapache2Fixed (2.4.67-r0)
25 LTSapache2Fixed (2.4.67-r0)
Streamapache2Fixed (2.4.67-r0)

References

ON THIS PAGE