CVE-2026-24281
HIGH
GHSA-7xrh-hqfc-g7qr
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Analysis
Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all ZooKeeper instances and document network exposure; assess whether PTR records are controlled by trusted infrastructure. Within 7 days: Implement network segmentation to restrict ZooKeeper communication to trusted internal networks only; disable reverse DNS lookups in ZooKeeper configuration if possible. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today