Skip to main content

Zookeeper CVE-2026-24308

HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-03-07 security@apache.org GHSA-crhr-qqj8-rpxc
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
3.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 07, 2026 - 09:16 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 115 maven packages depend on org.apache.zookeeper:zookeeper (23 direct, 92 indirect)

Ecosystem-wide dependent count for version 3.9.0.

DescriptionNVD

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

AnalysisAI

Apache ZooKeeper 3.8.5 and 3.9.4 improperly log sensitive client configuration data at INFO level, allowing unauthenticated remote attackers to extract credentials and other confidential information from application logfiles. The vulnerability affects all platforms and requires no user interaction or special privileges to exploit. No patch is currently available, leaving vulnerable deployments exposed until upgrades to versions 3.8.6 or 3.9.5 are deployed.

Technical ContextAI

Classified as CWE-532 (Insertion of Sensitive Information into Log File). Affects Zookeeper. Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

RemediationAI

Update to version 3.8.6 or later. Restrict network access to the affected service where possible.

CVE-2017-5637 HIGH POC
7.5 Oct 10

Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper

CVE-2016-5017 HIGH POC
8.1 Sep 21

Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch

CVE-2026-24281 HIGH POC
7.4 Mar 07

Hostname verification bypass in Apache ZooKeeper's ZKTrustManager allows attackers with a valid certificate trusted by t

CVE-2024-51504 CRITICAL
9.1 Nov 07

When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofin

CVE-2023-44981 CRITICAL
9.1 Oct 11

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. Rated critical severity (CVSS 9.1),

CVE-2018-8012 HIGH
7.5 May 21

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, a

CVE-2021-21295 MEDIUM
5.9 Mar 09

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable h

CVE-2019-0201 MEDIUM
5.9 May 23

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. Rated medium severity (CVSS 5.9),

CVE-2024-23944 MEDIUM
5.3 Mar 15

Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. Rated medium severi

CVE-2025-58457 MEDIUM POC
4.3 Sep 24

Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insu

Vendor StatusVendor

Share

CVE-2026-24308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy