CVE-2026-33006
Analyzed Analyzed - Analysis Complete
Timing Attack Bypass in Apache HTTP Server

Publication date: 2026-05-04

Last updated on: 2026-05-04

Assigner: Apache Software Foundation

Description
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache http_server to 2.4.67 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Users are recommended to upgrade to Apache HTTP Server version 2.4.67, which fixes this issue.

Executive Summary

This vulnerability is a timing attack against the mod_auth_digest module in Apache HTTP Server version 2.4.66. It allows a remote attacker to bypass Digest authentication by exploiting the time differences in processing authentication requests.

Impact Analysis

An attacker exploiting this vulnerability can bypass Digest authentication, potentially gaining unauthorized access to protected resources on the affected Apache HTTP Server.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart