CVE-2026-24308
HIGH
GHSA-crhr-qqj8-rpxc
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Analysis
Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running ZooKeeper 3.8.5 or 3.9.4 and assess whether client credentials are present in current logfiles; immediately restrict logfile access permissions to authorized administrators only. Within 7 days: Search centralized logging systems, backup archives, and log aggregation platforms for any historical exposure of sensitive configuration data and initiate credential rotation for any potentially compromised secrets. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today