CVE-2026-24281

CWE-295Improper Certificate ValidationCWE-350CWE-2978 documents7 sources
Severity
7.4HIGH
EPSS
0.0%
top 91.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache ZookeeperApache Software Foundation Apache Zookeeper
Timeline
PublishedMar 7

Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introduc

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

NVDapache/zookeeper3.8.03.8.6+1
Mavenorg.apache.zookeeper:zookeeper3.8.03.8.6+1
CVEListV5apache_software_foundation/apache_zookeeper3.9.03.9.4+1
Debianzookeeper< 3.9.5-1

🔴Vulnerability Details

4
OSV
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager2026-03-07
GHSA
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager2026-03-07
CVEList
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager2026-03-07
OSV
CVE-2026-24281: Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control2026-03-07

📋Vendor Advisories

2
Red Hat
Apache ZooKeeper: Apache ZooKeeper: Impersonation of servers or clients via reverse DNS spoofing2026-03-07
Debian
CVE-2026-24281: zookeeper - Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse D...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-24281 Impact, Exploitability, and Mitigation Steps | Wiz