CVE-2026-33006

MEDIUM severity · CVSS 4.8 · CWE-208

4.8CVSS MEDIUM

Summary

A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactLow

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products we track (1)

Apache HTTP Server

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://httpd.apache.org/security/vulnerabilities_24.htmlAdvisory
http://www.openwall.com/lists/oss-security/2026/05/04/21Advisory