EUVD-2026-17403
GHSA-hh36-f69g-hq4h
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Description
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
Analysis
PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_drop option is disabled on nghttp2 frontends, exposing the DNS resolver to unauthorized query submission and potential information disclosure. Affected versions include dnsdist across multiple releases where this configuration weakness exists; the vulnerability has a CVSS score of 6.5 and exposes both confidentiality and integrity concerns despite not affecting availability.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | (unfixed) | end-of-life |
| bookworm | fixed | (unfixed) | end-of-life |
| trixie | vulnerable | 1.9.10-1+deb13u1 | - |
| forky | vulnerable | 2.0.2-1 | - |
| sid | fixed | 2.0.3-1 | - |
| (unstable) | fixed | 2.0.3-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today