CVE-2026-24735 is a vulnerability identified in the Apache Software Foundation's Apache Answer product affecting versions through 1.7.1. The issue arises from an unauthenticated API endpoint that improperly exposes the full revision history of deleted content. This exposure includes private personal information that should be restricted, thus violating confidentiality principles. The vulnerability is classified under CWE-359, which concerns the exposure of private information to unauthorized actors. The flaw requires no authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS v3.1 score of 7.5 reflects the high confidentiality impact, with no impact on integrity or availability. Apache has resolved this vulnerability in version 2.0.0. The vulnerability's root cause is insufficient access control on the API endpoint responsible for serving revision histories, allowing attackers to retrieve sensitive data that was intended to be deleted or restricted. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a significant risk for data breaches if left unpatched.

For European organizations, the exposure of private personal information can lead to severe regulatory and reputational consequences, especially under GDPR requirements that mandate strict protection of personal data. Unauthorized access to deleted content revision histories could reveal sensitive user data, internal communications, or confidential business information. This could result in data breaches, loss of customer trust, and potential fines from data protection authorities. Organizations in sectors such as government, healthcare, finance, and research, which often handle sensitive personal or classified information, are particularly at risk. The vulnerability's ease of exploitation means attackers could quickly leverage it to gather intelligence or conduct further attacks. Additionally, the exposure of deleted content undermines data retention and deletion policies, complicating compliance efforts.

The primary mitigation is to upgrade Apache Answer to version 2.0.0 or later, where the vulnerability is fixed. Until the upgrade can be performed, organizations should restrict network access to the vulnerable API endpoints, ideally by implementing firewall rules or API gateway policies that limit access to trusted internal networks or authenticated users only. Conduct thorough audits of API access logs to detect any unauthorized retrieval attempts of revision histories. Review and tighten access control configurations on all API endpoints to ensure no sensitive data is exposed without proper authorization. Implement monitoring and alerting for unusual API activity patterns. Additionally, organizations should review their data retention and deletion policies to ensure that deleted content is properly sanitized and inaccessible. Finally, coordinate with legal and compliance teams to prepare for potential incident response if exposure is suspected.