Skip to main content

dnsdist CVE-2026-40011

| EUVDEUVD-2026-39346 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-06-25 security@open-xchange.com GHSA-f83r-q8f4-f336
3.7
CVSS 3.1 · Vendor: open-xchange

Severity by source

Vendor (open-xchange) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.8 MEDIUM

AV:N and PR:N reflect unauthenticated DNS query submission; AC:H for the sustained crafted-query requirement; A:L added over vendor score to capture temporary Prometheus endpoint unavailability.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (open-xchange).

CVSS VectorVendor: open-xchange

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 14:16 EUVD
Analysis Generated
Jun 25, 2026 - 13:31 vuln.today

DescriptionCVE.org

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

AnalysisAI

Prometheus metrics endpoint corruption in PowerDNS dnsdist allows a remote unauthenticated attacker to disrupt monitoring visibility by flooding the resolver with crafted DNS queries. The flood triggers insertion of a dynamic block whose value serialises into invalid Prometheus exposition format, causing the /metrics endpoint to be rejected by the scraper until the dynamic block TTL expires naturally. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send sustained volume of crafted DNS queries
Delivery
Trigger dynamic block insertion with invalid metadata value
Exploit
Invalid value serialised into Prometheus /metrics output
Execution
Prometheus scraper rejects malformed metrics response
Impact
Monitoring visibility lost until dynamic block TTL expires

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target dnsdist instance has the Prometheus metrics endpoint enabled and network-reachable from the attacker, and that the attacker can sustain a sufficiently large volume of specifically crafted DNS queries to trigger dynamic block insertion with the invalid value - this high-volume requirement is reflected in the CVSS AC:H rating. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) accurately captures a low-severity, high-complexity, network-accessible condition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with no authentication or prior foothold sends a sustained flood of crafted DNS queries to a network-accessible dnsdist instance that has the Prometheus metrics endpoint enabled. The specific query pattern triggers insertion of a dynamic block whose associated value contains characters invalid in Prometheus exposition format. …
Remediation The primary remediation is to apply the vendor-released patch documented in the PowerDNS dnsdist security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html; exact fix version numbers are not confirmed in the available data and must be obtained directly from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40011 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy