CVE-2026-0397Permissive Cross-domain Security Policy with Untrusted Domains in Dnsdist

CWE-942Permissive Cross-domain Security Policy with Untrusted Domains8 documents7 sources
Severity
3.1LOWNVD
EPSS
0.0%
top 98.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Powerdns Dnsdist
Timeline
PublishedMar 31

Description

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

CVEListV5powerdns/dnsdist1.9.01.9.12+1
Debianpowerdns/dnsdist< 2.0.3-1

🔴Vulnerability Details

3
GHSA
GHSA-gjv7-4r9p-7hmx: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visitin2026-03-31
CVEList
Information disclosure via CORS misconfiguration2026-03-31
OSV
CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visitin2026-03-31

📋Vendor Advisories

1
Debian
CVE-2026-0397: dnsdist - When the internal webserver is enabled (default is disabled), an attacker might ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-0397 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-0397 dnsdist: dnsdist and PowerDNS: Information Disclosure via Cross-Origin Resource Sharing (CORS) Misconfiguration [epel-all]2026-03-31
Bugzilla
CVE-2026-0397 dnsdist: dnsdist and PowerDNS: Information Disclosure via Cross-Origin Resource Sharing (CORS) Misconfiguration [fedora-all]2026-03-31
CVE-2026-0397 — Powerdns Dnsdist vulnerability | cvebase