CVE-2026-24281

HIGH

Apache ZooKeeper <3.8.6/3.9.5 - Auth Bypass

Title source: llm

Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/07/4

[Mailing List] https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2

Scores

CVSS v3 7.4

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295 CWE-350

Status published

Products (2)

apache/zookeeper 3.8.0 - 3.8.6

org.apache.zookeeper/zookeeper 3.8.0 - 3.8.6Maven

Published Mar 07, 2026

Tracked Since Mar 07, 2026