Skip to main content

Zookeeper CVE-2026-24281

HIGH
Improper Certificate Validation (CWE-295)
2026-03-07 security@apache.org GHSA-7xrh-hqfc-g7qr
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 07, 2026 - 09:16 nvd
HIGH 7.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 461 maven packages depend on org.apache.zookeeper:zookeeper (90 direct, 372 indirect)

Ecosystem-wide dependent count for version 3.8.0.

DescriptionNVD

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

AnalysisAI

Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by the server to impersonate ZooKeeper nodes by exploiting fallback to reverse DNS validation when IP SAN checks fail. An attacker controlling or spoofing PTR records can intercept and forge communications between ZooKeeper servers and clients, compromising confidentiality and integrity of the cluster. No patch is currently available; mitigation requires upgrading to ZooKeeper 3.8.6 or 3.9.5 or disabling reverse DNS lookup via configuration.

Technical ContextAI

Classified as CWE-295 (Improper Certificate Validation). Affects Zookeeper. Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introduc

RemediationAI

Update to version 3.8.6 or later. Restrict network access to the affected service where possible.

CVE-2017-5637 HIGH POC
7.5 Oct 10

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper

CVE-2016-5017 HIGH POC
8.1 Sep 21

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch

CVE-2024-51504 CRITICAL
9.1 Nov 07

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofin

CVE-2023-44981 CRITICAL
9.1 Oct 11

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Rated critical severity (CVSS 9.1),

CVE-2026-24308 HIGH
7.5 Mar 07

Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthentica

CVE-2018-8012 HIGH
7.5 May 21

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, a

CVE-2021-21295 MEDIUM
5.9 Mar 09

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable h

CVE-2019-0201 MEDIUM
5.9 May 23

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. Rated medium severity (CVSS 5.9),

CVE-2024-23944 MEDIUM
5.3 Mar 15

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. Rated medium severi

CVE-2025-58457 MEDIUM POC
4.3 Sep 24

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insu

Vendor StatusVendor

Share

CVE-2026-24281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy