CVE-2026-0397

LOW

Information disclosure via CORS misconfiguration

Title source: cna

Description

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

References (1)

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Scores

CVSS v3 3.1

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-942

Status published

Products (3)

PowerDNS/DNSdist 1.9.0 - 1.9.12

powerdns/dnsdist 1.9.0 - 1.9.12

PowerDNS/DNSdist 2.0.0 - 2.0.3

Published Mar 31, 2026

Tracked Since Mar 31, 2026