CVE-2026-24735

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/02/04/1	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-04 11:16

Updated : 2026-02-06 14:40

NVD link : CVE-2026-24735

Mitre link : CVE-2026-24735

CVE.ORG link : CVE-2026-24735

JSON object : View

Products Affected

apache

answer

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

{"id": "CVE-2026-24735", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-04T11:16:03.130", "references": [{"url": "https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/02/04/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-359"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 1.7.1.\n\nAn unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information.\nUsers are recommended to upgrade to version 2.0.0, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de exposici\u00f3n de Informaci\u00f3n Personal Privada a un Actor No Autorizado en Apache Answer.\n\nEste problema afecta a Apache Answer: hasta la versi\u00f3n 1.7.1.\n\nUn endpoint de API no autenticado expone incorrectamente el historial completo de revisiones para contenido eliminado. Esto permite a usuarios no autorizados recuperar informaci\u00f3n restringida o sensible.\nSe recomienda a los usuarios actualizar a la versi\u00f3n 2.0.0, que corrige el problema."}], "lastModified": "2026-02-06T14:40:37.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "532DB4B7-06FB-4580-9FB7-3FF91958AC5C", "versionEndExcluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}