Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Incorrect Behaviour of Views with TCP PROXY Requests
AnalysisAI
Incorrect view selection in PowerDNS Authoritative Server when processing TCP PROXY protocol requests exposes DNS records intended for a different network segment to remote unauthenticated attackers, producing both unauthorized information disclosure and limited integrity impact. Deployments running split-horizon DNS via the Views feature alongside TCP PROXY protocol support are the specific affected population. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the attack concept requires no authentication and no user interaction, making it relevant wherever both features are co-deployed.
Technical ContextAI
PowerDNS Authoritative Server (CPE: cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*) supports a Views mechanism - a split-horizon DNS construct that returns distinct record sets to clients based on their source IP, commonly used to serve different data to internal versus external networks. The TCP PROXY protocol (originally specified by HAProxy) prepends a header to TCP streams carrying the original client IP through load balancers or reverse proxies to backend services. The vulnerability arises because the Views policy evaluation incorrectly handles the client address extracted from PROXY protocol headers, applying the wrong view for the request. No CWE was formally assigned; the behavior is closest in character to CWE-290 (Authentication Bypass by Spoofing) or CWE-284 (Improper Access Control) applied to DNS view selection logic. The CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N reflects that the attack is network-reachable with no credentials but requires specific co-configured conditions.
RemediationAI
Patch available per vendor advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html - the exact patched version was not included in the available intelligence and must be confirmed from that advisory before upgrading. As an immediate compensating control, disable TCP PROXY protocol support on the PowerDNS Authoritative instance if it is not operationally required; this eliminates the attack surface entirely but will cause loss of real client IP visibility through load balancers, potentially affecting Views-based access control downstream. If PROXY protocol cannot be disabled, restrict its acceptance to trusted upstream proxy IP ranges via host-based firewall or network ACL - this reduces exposure to only those trusted sources, though it does not fix the underlying logic flaw. Organizations should validate that after patching, Views correctly identifies clients behind PROXY-protocol-enabled load balancers to avoid service disruption.
More in Authoritative
View allPowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this
PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31262
GHSA-f6hj-gwxc-95c3