CVE-2026-35579
published 2026-05-05CVE-2026-35579: CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.51%
39.6th percentile
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.
An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.
This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coredns.io | coredns | < 1.14.3 | 1.14.3 |
| coredns | coredns | < 1.14.3 | 1.14.3 |
| github.com | coredns_coredns | >= 0 < 1.14.3 | 1.14.3 |
| openshift4 | ose-coredns-rhel9 | — | — |
| rhacm2 | lighthouse-agent-rhel9 | — | — |
| rhacm2 | lighthouse-coredns-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →For gRPC/QUIC transports: TSIG authentication bypass occurs when key name matches a configured key but HMAC is never validated (dns.TsigVerify() is never called); detect DNS requests over gRPC or QUIC carrying a TSIG record with any MAC value that are accepted as authenticated. ↗
- →For DoH/DoH3 transports: any DNS request containing a TSIG record is treated as authenticated regardless of key name or MAC value; monitor DoH/DoH3 traffic for TSIG records with invalid or arbitrary key names being accepted, especially for AXFR/IXFR or dynamic update requests. ↗
- →Monitor for unauthorized AXFR/IXFR zone transfer requests or dynamic DNS update requests arriving over gRPC, QUIC, DoH, or DoH3 transports, which may indicate exploitation of the TSIG bypass. ↗
- →DoH/DoH3 exploitation has a lower bar: attacker does not need a valid TSIG key name. Alert on any DoH/DoH3 DNS request carrying a TSIG record, particularly those requesting zone transfers or dynamic updates. ↗
- ·Vulnerability affects CoreDNS versions prior to 1.14.3 only; upgrade to 1.14.3 to remediate. Red Hat packages rhacm2/lighthouse-agent-rhel9, rhacm2/lighthouse-coredns-rhel9, and openshift4/ose-coredns-rhel9 are confirmed affected. ↗
- ·TSIG bypass only applies to gRPC, QUIC, DoH, and DoH3 transports; standard DNS-over-UDP/TCP TSIG handling is not described as affected. Detection rules should be scoped to these specific transports. ↗
- ·The tsigStatus field remaining nil is the root indicator of bypass for gRPC/QUIC; for DoH/DoH3 the DoHWriter.TsigStatus() method unconditionally returns nil regardless of input, meaning no per-request state distinguishes legitimate from malicious traffic at the application layer without patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports
ghsa·2026-04-28
CVE-2026-35579 [HIGH] CWE-287 CoreDNS has TSIG authentication bypass on gRPC and QUIC transports
CoreDNS has TSIG authentication bypass on gRPC and QUIC transports
### Summary
The gRPC, QUIC, DoH, and DoH3 transports in CoreDNS incorrectly handle TSIG authentication.
For gRPC and QUIC, CoreDNS checks whether the TSIG key name exists in the config, but does not actually verify the TSIG HMAC. If the key name matches, `tsigStatus` remains nil and the tsig plugin treats the request as "verified".
For DoH and DoH3, the issue is worse: TSIG is not verified at all. The DoH response writer has `TsigStatus()` hardcoded to return nil, so any request containing a TSIG record is treated as authenticated, even if the key name is invalid and the MAC is garbage.
As a result, attackers may bypass TSIG authentication on affected transports and access TSIG-protected functionality such as AXFR/IXFR
Red Hat
github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
vendor_redhat·2026-05-05·CVSS 8.2
CVE-2026-35579 [HIGH] CWE-303 github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
A flaw was found in CoreDNS. An unauthenticated network attacker can exploit incorrect handling of TSIG (Transaction Signature) authentication in the gRPC, QUIC, DoH (DNS over HTTPS), and DoH3 transport implementations. This vulnerability allows an attacker to bypass TSIG protection, leading to unauthorized access to functionalities such as zone transfers and dynamic DNS updates. For DoH and DoH3, the issue is more severe as any request with a TSIG record is treated as authenticated, even with an invalid key.
Package: rhacm2/lighthouse-agent-rhel9 (Red Hat Advanced Cluster Management for Kubernetes 2) - Affected
Package: rhacm2/lighthouse-coredns-rhel9 (Red Hat Advance
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-35579 github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
bugzilla·2026-05-05·CVSS 8.2
CVE-2026-35579 [HIGH] CVE-2026-35579 github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
CVE-2026-35579 github.com/coredns/coredns: CoreDNS: Authentication bypass allows unauthorized access to TSIG-protected functionalities
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containi
https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9https://access.redhat.com/errata/RHSA-2026:25127https://access.redhat.com/security/cve/CVE-2026-35579https://bugzilla.redhat.com/show_bug.cgi?id=2466905https://github.com/coredns/coredns/security/advisories/GHSA-vp29-5652-4fw9https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-35579.json
2026-05-05
Published