Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.
AnalysisAI
PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, corrupting the LMDB backend database and causing service degradation or denial of availability. The vulnerability requires high-privilege REST API access and affects deployments using LMDB as the backend storage engine, with confirmed impact on data integrity and availability.
Technical ContextAI
PowerDNS Authoritative is a DNS nameserver that supports multiple backend storage engines including LMDB (Lightning Memory-Mapped Database), a high-performance key-value store. The vulnerability exists in the REST API's record validation logic when handling HTTPS (type 65) and SVCB (type 64) record types, which are modern DNS record types used for service binding and HTTPS certificate validation. The REST API accepts authenticated requests from operators to create or modify DNS records, but insufficient input validation on these specific record types allows crafted payloads to be written directly to the LMDB database. LMDB's strict data format requirements mean corrupted records can corrupt internal database structures, affecting all subsequent queries. The CWE classification is not specified but the root cause appears related to improper input validation (CWE-20) and insufficient encoding handling for DNS record data.
RemediationAI
Apply the vendor-released security patch from PowerDNS per the advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html. Specific patched version not provided in input data - verify exact upgrade target in the advisory. As an interim compensating control, restrict REST API access to a minimal set of trusted operators using network-level access controls (firewall rules limiting API endpoints to specific IPs) and disable REST API entirely if not actively used in production. Monitor LMDB database integrity using PowerDNS built-in diagnostics or external database verification tools to detect corruption. Database repairs may be necessary if corruption is detected before patching; consult PowerDNS documentation for LMDB recovery procedures. Mitigating controls reduce attack surface but do not eliminate the vulnerability in unpatched versions.
More in Authoritative
View allPowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this
PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24951