CVE-2026-24308
Improper Handling of Configuration Values vulnerability in zookeeper (Maven)
What is CVE-2026-24308 About?
This vulnerability in Apache ZooKeeper's ZKConfig leads to the exposure of sensitive configuration information. It allows an attacker to retrieve potentially sensitive data from client log files. The exploit is relatively easy as it only requires access to log files.
Affected Software
- org.apache.zookeeper:zookeeper
- >=3.9.0, <3.9.5
- >=3.8.0, <3.8.6
Technical Details
Apache ZooKeeper versions 3.8.5 and 3.9.4 contain an improper handling of configuration values within its ZKConfig component. Specifically, when client configurations are processed, sensitive information embedded within these configurations is erroneously exposed and written to the client's logfile at the 'INFO' logging level. This means that any process or individual with access to the client's log files can read this sensitive data. The attack vector involves simply accessing the log files, which, if not properly secured, can lead to information disclosure without requiring complex interaction with the ZooKeeper service itself.
What is the Impact of CVE-2026-24308?
Successful exploitation may allow attackers to gain access to sensitive configuration data, potentially leading to further compromise of the system, unauthorized access to resources, or escalation of privileges.
What is the Exploitability of CVE-2026-24308?
Exploitation is of low complexity and requires no authentication for the actual information disclosure if the attacker already has access to the filesystem where the log files are stored. No specific privileges are needed beyond read access to the log files. This is primarily a local access vulnerability, assuming direct access to the system hosting the ZooKeeper client is required to read the log files, though it could become remote if log files are accessible via network shares or web interfaces. There are no special conditions or constraints other than the log files being present and readable. The risk is significantly increased in production systems where log files might contain highly sensitive information and are not adequately protected.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-24308?
Available Upgrade Options
- org.apache.zookeeper:zookeeper
- >=3.8.0, <3.8.6 → Upgrade to 3.8.6
- org.apache.zookeeper:zookeeper
- >=3.9.0, <3.9.5 → Upgrade to 3.9.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2026/03/07/5
- https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
- https://nvd.nist.gov/vuln/detail/CVE-2026-24308
- https://github.com/apache/zookeeper/releases/tag/release-3.8.6
- https://osv.dev/vulnerability/GHSA-crhr-qqj8-rpxc
- https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
- https://github.com/apache/zookeeper
- https://github.com/apache/zookeeper/releases/tag/release-3.9.5
- http://www.openwall.com/lists/oss-security/2026/03/07/5
What are Similar Vulnerabilities to CVE-2026-24308?
Similar Vulnerabilities: CVE-2023-34039 , CVE-2022-22965 , CVE-2020-10705 , CVE-2019-15587 , CVE-2018-1000632
