CVE-2026-24281
Hostname verification bypass vulnerability in zookeeper (Maven)
What is CVE-2026-24281 About?
This vulnerability is a hostname verification bypass in Apache ZooKeeper that occurs due to a fallback to reverse DNS (PTR) when IP SAN validation fails. This can allow attackers to impersonate ZooKeeper servers or clients. Exploitation is difficult as attackers must present a certificate trusted by ZKTrustManager.
Affected Software
- org.apache.zookeeper:zookeeper
- >=3.8.0, <3.8.6
- >=3.9.0, <3.9.5
Technical Details
The ZKTrustManager in Apache ZooKeeper incorrectly falls back to reverse DNS (PTR) record lookups for hostname verification if the initial IP Subject Alternative Name (SAN) validation fails. An attacker who can control or spoof PTR records can craft a valid certificate for the PTR name. By presenting this certificate, the attacker can then impersonate legitimate ZooKeeper servers or clients, even if the primary IP SAN validation was unsuccessful. The attack vector is constrained by the requirement for the attacker to possess a certificate already trusted by the ZKTrustManager.
What is the Impact of CVE-2026-24281?
Successful exploitation may allow attackers to perform impersonation attacks against ZooKeeper servers or clients, potentially leading to unauthorized access, data manipulation, or denial of service within the ZooKeeper ensemble or dependent applications.
What is the Exploitability of CVE-2026-24281?
Exploitation of this vulnerability is complex and requires specific prerequisites. An attacker needs to control or spoof DNS PTR records to redirect hostname resolution. Crucially, the attacker must also possess a valid digital certificate that is trusted by the target ZKTrustManager, significantly increasing the difficulty. This attack vector primarily involves remote access, targeting the communication between ZooKeeper components. The need for a trusted certificate acts as a major constraint and risk factor, making successful exploitation less likely without prior compromise or insider access to certificate infrastructure.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-24281?
Available Upgrade Options
- org.apache.zookeeper:zookeeper
- >=3.8.0, <3.8.6 → Upgrade to 3.8.6
- org.apache.zookeeper:zookeeper
- >=3.9.0, <3.9.5 → Upgrade to 3.9.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2026/03/07/4
- https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2
- https://nvd.nist.gov/vuln/detail/CVE-2026-24281
- https://github.com/apache/zookeeper
- https://github.com/apache/zookeeper/commit/66c4efecdda1302d9cfb3af9eedb122b74452bf3
- https://issues.apache.org/jira/browse/ZOOKEEPER-4986
- http://www.openwall.com/lists/oss-security/2026/03/07/4
- https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2
- https://osv.dev/vulnerability/GHSA-7xrh-hqfc-g7qr
What are Similar Vulnerabilities to CVE-2026-24281?
Similar Vulnerabilities: CVE-2021-39230 , CVE-2015-1832 , CVE-2014-0050 , CVE-2014-0048 , CVE-2020-13756
