Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

INFO

Published Date :

2026-03-07T08:50:32.525Z

Last Modified :

2026-03-10T17:37:28.087Z

Source :

apache
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24281 vulnerability.

Vendors Products
Apache
  • Zookeeper
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24281.

URL Resource
http://www.openwall.com/lists/oss-security/2026/03/07/4 cve-icon
https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-24281 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-24281 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact