CVE- 2026-24735, disclosed on 5 February 2026, concerns Apache Answer, the Q&A platform software from The Apache Software Foundation. The flaw allows unauthenticated attackers to access the full revision history of content that was intended to be deleted, effectively exposing private post history. The issue stems from improper access control around the revision API, with an unauthenticated API endpoint incorrectly exposing history for deleted content.
It affects all versions of Apache Answer up to and including 1.7.1, meaning administrators running those releases could be leaving user edit histories publicly exposed. The maintainers have addressed the problem in the latest major release, and users are advised to upgrade to version 2.0.0, which fixes the issue. The advisory labels the vulnerability as important and urges community managers and IT teams to apply the update to ensure deleted content actually remains private.