CVE-2026-24281

Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager

CVSS 5.9 MEDIUMEPSS 0.3%CWE-295 CWE-350

In short

Apache ZooKeeper's hostname verification can be bypassed by attackers who control DNS reverse records (PTR), allowing them to impersonate legitimate servers even with a valid certificate. This matters because it weakens the security of ZooKeeper clusters that rely on certificate-based authentication.

Technical detail

CWE-295 (Improper Certificate Validation) and CWE-350 (Reliance on Reverse DNS Resolution for Security): ZKTrustManager falls back to reverse DNS lookup when Subject Alternative Name (SAN) validation fails, enabling hostname verification bypass. Attackers with PTR record control can present a valid certificate for the reverse-resolved name to impersonate ZooKeeper nodes; however, the certificate must be trusted by the ZKTrustManager, raising the attack complexity.

Summary generated and translated by AI from the official description.

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

Apache Software Foundation · Apache ZooKeeper

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 http://www.openwall.com/lists/oss-security/2026/03/07/4