Skip to main content

Dnsdist CVE-2026-24029

| EUVDEUVD-2026-17403 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-31 OX GHSA-hh36-f69g-hq4h
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 12:15 euvd
EUVD-2026-17403
Analysis Generated
Mar 31, 2026 - 12:15 vuln.today
CVE Published
Mar 31, 2026 - 11:59 nvd
MEDIUM 6.5

DescriptionCVE.org

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

AnalysisAI

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_drop option is disabled on nghttp2 frontends, exposing the DNS resolver to unauthorized query submission and potential information disclosure. Affected versions include dnsdist across multiple releases where this configuration weakness exists; the vulnerability has a CVSS score of 6.5 and exposes both confidentiality and integrity concerns despite not affecting availability.

Technical ContextAI

DNS over HTTPS (DoH) represents DNS queries tunneled through HTTPS, requiring separate access control enforcement at the application layer rather than relying on traditional DNS protocol-level filtering. The nghttp2 provider is HAProxy/dnsdist's HTTP/2 implementation for handling DoH frontends. The early_acl_drop (earlyACLDrop in Lua) option is a performance and security feature that evaluates access control lists at the earliest stage of request processing-before query parsing and forwarding. When disabled (counter to the default-enabled state), the ACL check is deferred or skipped entirely for DoH requests, allowing the application logic to proceed without authorization validation. This represents a logic flaw in the conditional ACL enforcement path specific to the nghttp2 provider implementation.

RemediationAI

Upgrade dnsdist to a patched version released by the PowerDNS project; exact version numbers are not confirmed in the available input data, but the vendor advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html provides authoritative guidance on fixed releases. As an interim mitigation, ensure the early_acl_drop option is enabled (default state) on all nghttp2 DoH frontends by explicitly setting early_acl_drop = true in Lua configuration or the equivalent dnsdist configuration syntax. Additionally, review and audit dnsdist ACL rules to verify that intended access restrictions are in place and that no misconfigured frontends are currently accessible to unauthorized networks.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24030 MEDIUM
5.3 Mar 31

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-27854 MEDIUM
4.8 Mar 31

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method

CVE-2026-33597 LOW
3.7 Apr 22

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service

CVE-2026-33599 LOW
3.1 Apr 22

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon

CVE-2026-33596 LOW
3.1 Apr 22

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Vendor StatusVendor

Debian

dnsdist
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bookworm fixed (unfixed) end-of-life
trixie vulnerable 1.9.10-1+deb13u1 -
forky vulnerable 2.0.2-1 -
sid fixed 2.0.3-1 -
(unstable) fixed 2.0.3-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-24029 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy