CVE-2026-24308

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24308
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24308.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24308
Aliases
Downstream
Related
Published
2026-03-07T09:16:07.660Z
Modified
2026-03-14T15:05:46.153908Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

References

Affected packages

Git / github.com/apache/zookeeper

Affected ranges

Type
GIT
Repo
https://github.com/apache/zookeeper
Events
Introduced
97c181a40d6dd6ccb2fdad7fcdbd1fd74ab0b6c8
Fixed
6df26081269769c160c8c3a24929c60c91cd19c3
Introduced
1674a5e97f43bc38e9bf56b04f83a7ae34d68249
Fixed
293c895a8d966a3ecb92872be4a1daf87d725da2
Database specific 
{
    "versions": [
        {
            "introduced": "3.8.0"
        },
        {
            "fixed": "3.8.6"
        },
        {
            "introduced": "3.9.0"
        },
        {
            "fixed": "3.9.5"
        }
    ]
}

Affected versions

release-3.*
release-3.9.0
release-3.9.0-1
release-3.9.1
release-3.9.1-0
release-3.9.2
release-3.9.2-0
release-3.9.3
release-3.9.3-0
release-3.9.3-1
release-3.9.3-2
release-3.9.4
release-3.9.4-0
release-3.9.4-1
release-3.9.4-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24308.json"