CVE-2026-24308 — Log File Information Exposure in Apache Zookeeper

CWE-532 — Log File Information Exposure CWE-117 — Improper Output Neutralization for Logs9 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 93.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Zookeeper Apache Software Foundation Apache Zookeeper

Timeline

PublishedMar 7

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDapache/zookeeper3.8.0 — 3.8.6+1

▶Debianapache/zookeeper< 3.9.5-1

▶CVEListV5apache_software_foundation/apache_zookeeper3.9.0 — 3.9.4+1

🔴Vulnerability Details

OSV

CVE-2026-24308: Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3↗2026-03-07

▶

GHSA

Apache ZooKeeper has improper handling of configuration values↗2026-03-07

▶

OSV

Apache ZooKeeper has improper handling of configuration values↗2026-03-07

▶

CVEList

Apache ZooKeeper: Sensitive information disclosure in client configuration handling↗2026-03-07

▶

📋Vendor Advisories

Red Hat

Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values↗2026-03-07

▶

Debian

CVE-2026-24308: zookeeper - Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-24308 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-24308 Apache ZooKeeper: Apache ZooKeeper: Information disclosure via improper handling of configuration values↗2026-03-07

▶