CVE-2026-24735 — Exposure of Private Personal Information to an Unauthorized Actor in Apache Answer

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor6 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 94.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Apache Answer Apache Answer Apache Software Foundation Apache Answer

Timeline

PublishedFeb 4

Latest updateFeb 5

Description

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/answer< 2.0.0

▶Gogithub.com/apache_answer< 2.0.0

▶CVEListV5apache_software_foundation/apache_answer1.7.1

🔴Vulnerability Details

OSV

Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability in github.com/apache/answer↗2026-02-05

▶

GHSA

Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability↗2026-02-04

▶

CVEList

Apache Answer: Revision API Improper Access Control leads to Information Disclosure↗2026-02-04

▶

OSV

Apache Answer Exposure of Private Personal Information to an Unauthorized Actor vulnerability↗2026-02-04

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24735 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶