CVE-2026-24308

Summary

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache ZooKeeper3.9.0 <= 3.9.4affected
Apache Software FoundationApache ZooKeeper3.8.0 <= 3.8.5affected

Weaknesses

  • CWE-532: CWE-532 Insertion of Sensitive Information into Log File

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values

Additional References

References