CVE-2026-33006
Publication date 5 May 2026
Last updated 14 May 2026
Ubuntu priority
Description
A timing attack against mod_auth_digest in Apache HTTP Server 2.4.66 allows a bypass of Digest authentication by a remote attacker. Users are recommended to upgrade to version 2.4.67, which fixes this issue.
Read the notes from the security team
Why is this CVE low priority?
Apache httpd developers have rated this to be a low-severity issue
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| apache2 | 26.04 LTS resolute |
Fixed 2.4.66-2ubuntu2.1
|
| 25.10 questing |
Fixed 2.4.64-1ubuntu3.4
|
|
| 24.04 LTS noble |
Fixed 2.4.58-1ubuntu8.12
|
|
| 22.04 LTS jammy |
Fixed 2.4.52-1ubuntu4.20
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.8 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-8239-1
- Apache HTTP Server vulnerabilities
- 6 May 2026