CVE-2026-26017
7.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Summary
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| coredns | coredns | < 1.14.2 | affected |
Weaknesses
- CWE-367: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw
Additional References
- https://access.redhat.com/security/cve/CVE-2026-26017
- https://bugzilla.redhat.com/show_bug.cgi?id=2445244
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26017.json
- https://access.redhat.com/errata/RHSA-2026:25127
- https://access.redhat.com/errata/RHSA-2026:8151
References
- https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr
- https://github.com/coredns/coredns/releases/tag/v1.14.2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.