CVE-2026-24281

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24281
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24281.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24281
Aliases
Downstream
Related
Published
2026-03-07T09:16:07.437Z
Modified
2026-03-14T12:47:22.777443Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

References

Affected packages

Git / github.com/apache/zookeeper

Affected ranges

Type
GIT
Repo
https://github.com/apache/zookeeper
Events
Introduced
97c181a40d6dd6ccb2fdad7fcdbd1fd74ab0b6c8
Fixed
6df26081269769c160c8c3a24929c60c91cd19c3
Introduced
1674a5e97f43bc38e9bf56b04f83a7ae34d68249
Fixed
293c895a8d966a3ecb92872be4a1daf87d725da2
Database specific 
{
    "versions": [
        {
            "introduced": "3.8.0"
        },
        {
            "fixed": "3.8.6"
        },
        {
            "introduced": "3.9.0"
        },
        {
            "fixed": "3.9.5"
        }
    ]
}

Affected versions

release-3.*
release-3.9.0
release-3.9.0-1
release-3.9.1
release-3.9.1-0
release-3.9.2
release-3.9.2-0
release-3.9.3
release-3.9.3-0
release-3.9.3-1
release-3.9.3-2
release-3.9.4
release-3.9.4-0
release-3.9.4-1
release-3.9.4-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24281.json"