## https://sploitus.com/exploit?id=40379BCA-07F4-5401-B618-4640793D350D
# CVE-2026-24072: Apache HTTP Server mod_rewrite Privilege Escalation Analysis
> **CVE-2026-24072** is a moderate-severity local privilege escalation vulnerability in Apache HTTP Server 2.4.66 and earlier. It allows local `.htaccess` authors to read arbitrary files on the filesystem with the privileges of the `httpd` user by leveraging `ap_expr` expression evaluation inside `mod_rewrite`, `mod_setenvif`, and `mod_proxy_fcgi`.
## Overview
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-24072 |
| **Severity** | Moderate (Local Privilege Escalation / Information Disclosure) |
| **Affected** | Apache HTTP Server pool == cmd->temp_pool;
```
When Apache parses `.htaccess` files, the per-directory configuration pool (`cmd->pool`) is the same as the temporary pool (`cmd->temp_pool`). This is a well-known internal Apache convention for detecting `.htaccess` (per-directory) context vs. main server/virtual host context.
## Files in this Repository
| File | Description |
|------|-------------|
| `CVE-2026-24072-analysis.md` | Full technical analysis and impact assessment |
| `mod_rewrite.diff` | Patch for `modules/mappers/mod_rewrite.c` |
| `mod_setenvif.diff` | Patch for `modules/metadata/mod_setenvif.c` |
| `mod_proxy_fcgi.diff` | Patch for `modules/proxy/mod_proxy_fcgi.c` |
| `httpd-2.4.66/` | Source tree of vulnerable Apache version |
| `httpd-2.4.67/` | Source tree of fixed Apache version |
| `examples/` | Proof-of-concept `.htaccess` files |
## References
- [CVE-2026-24072 - Apache HTTP Server: mod_rewrite elevation of privileges via ap_expr](https://cvefeed.io/vuln/detail/CVE-2026-24072)
- [Apache HTTP Server 2.4 Security Vulnerabilities](https://httpd.apache.org/security/vulnerabilities_24.html)
- [cPanel Security Advisory for CVE-2026-24072](https://support.cpanel.net/hc/en-us/articles/40232024538775-Security-CVE-2026-24072-Apache-HTTP-Server-mod-rewrite-elevation-of-privileges-via-ap-expr)
## Disclaimer
This repository is for educational and defensive purposes only. The proof-of-concept examples are intended to help security professionals understand and defend against this vulnerability. Do not use these techniques on systems you do not own or have explicit permission to test.