CVE-2026-24281

Summary

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache ZooKeeper3.9.0 <= 3.9.4affected
Apache Software FoundationApache ZooKeeper3.8.0 <= 3.8.5affected

Weaknesses

  • CWE-350: CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action
  • CWE-295: CWE-295 Improper Certificate Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Apache ZooKeeper: Apache ZooKeeper: Impersonation of servers or clients via reverse DNS spoofing

Additional References

References