CVE-2026-24308

HIGH

Apache ZooKeeper 3.8.5/3.9.4 - Info Disclosure

Title source: llm

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2026/03/07/5

[Mailing List] https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr

Scores

CVSS v3 7.5

EPSS 0.0002

EPSS Percentile 5.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-532

Status published

Products (2)

apache/zookeeper 3.8.0 - 3.8.6

org.apache.zookeeper/zookeeper 3.9.0 - 3.9.5Maven

Published Mar 07, 2026

Tracked Since Mar 07, 2026