CVE-2026-33006
Analyzed
Analyzed - Analysis Complete
Timing Attack Bypass in Apache HTTP Server
Publication date: 2026-05-04
Last updated on: 2026-05-04
Assigner: Apache Software Foundation
Description
Description
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker.
Users are recommended to upgrade to version 2.4.67, which fixes this issue.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | http_server | to 2.4.67 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache HTTP Server version 2.4.67, which fixes this issue.
Can you explain this vulnerability to me?
This vulnerability is a timing attack against the mod_auth_digest module in Apache HTTP Server version 2.4.66. It allows a remote attacker to bypass Digest authentication by exploiting the time differences in processing authentication requests.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can bypass Digest authentication, potentially gaining unauthorized access to protected resources on the affected Apache HTTP Server.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70