CVE-2026-24029

Summary

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Affected Software

VendorProductVersion RangeStatus
PowerDNSDNSdist1.9.0 < 1.9.12affected
PowerDNSDNSdist2.0.0 < 2.0.3affected

Weaknesses

  • Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References