CVE-2026-24281

MEDIUM 5.9

Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

CWE	CWE-350 CWE-295
Vendor	apache software foundation
Product	apache zookeeper
Published	Mar 7, 2026
Last Updated	Mar 10, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache zookeeper

Be the first to know when new medium vulnerabilities affecting apache software foundation apache zookeeper are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache ZooKeeper

3.9.0 ≤ 3.9.4 3.8.0 ≤ 3.8.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/07/4

Credits

🔍 Nikita Markevich <[email protected]>