Skip to main content

PowerDNS Authoritative CVE-2026-41999

| EUVDEUVD-2026-31262 MEDIUM
Improper Access Control (CWE-284)
2026-05-21 OX GHSA-f6hj-gwxc-95c3
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
May 21, 2026 - 11:01 EUVD
Analysis Generated
May 21, 2026 - 10:46 vuln.today

DescriptionCVE.org

Incorrect Behaviour of Views with TCP PROXY Requests

AnalysisAI

Incorrect view selection in PowerDNS Authoritative Server when processing TCP PROXY protocol requests exposes DNS records intended for a different network segment to remote unauthenticated attackers, producing both unauthorized information disclosure and limited integrity impact. Deployments running split-horizon DNS via the Views feature alongside TCP PROXY protocol support are the specific affected population. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV; however, the attack concept requires no authentication and no user interaction, making it relevant wherever both features are co-deployed.

Technical ContextAI

PowerDNS Authoritative Server (CPE: cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*) supports a Views mechanism - a split-horizon DNS construct that returns distinct record sets to clients based on their source IP, commonly used to serve different data to internal versus external networks. The TCP PROXY protocol (originally specified by HAProxy) prepends a header to TCP streams carrying the original client IP through load balancers or reverse proxies to backend services. The vulnerability arises because the Views policy evaluation incorrectly handles the client address extracted from PROXY protocol headers, applying the wrong view for the request. No CWE was formally assigned; the behavior is closest in character to CWE-290 (Authentication Bypass by Spoofing) or CWE-284 (Improper Access Control) applied to DNS view selection logic. The CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N reflects that the attack is network-reachable with no credentials but requires specific co-configured conditions.

RemediationAI

Patch available per vendor advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html - the exact patched version was not included in the available intelligence and must be confirmed from that advisory before upgrading. As an immediate compensating control, disable TCP PROXY protocol support on the PowerDNS Authoritative instance if it is not operationally required; this eliminates the attack surface entirely but will cause loss of real client IP visibility through load balancers, potentially affecting Views-based access control downstream. If PROXY protocol cannot be disabled, restrict its acceptance to trusted upstream proxy IP ranges via host-based firewall or network ACL - this reduces exposure to only those trusted sources, though it does not fix the underlying logic flaw. Organizations should validate that after patching, Views correctly identifies clients behind PROXY-protocol-enabled load balancers to avoid service disruption.

CVE-2016-5427 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this

CVE-2016-5426 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU

CVE-2020-24698 CRITICAL
9.8 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti

CVE-2020-24696 HIGH
8.1 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2026-42001 HIGH
7.5 May 21

Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi

CVE-2020-24697 HIGH
7.5 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2019-10162 HIGH
7.5 Jul 30

A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use

CVE-2018-14626 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab

CVE-2018-10851 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi

CVE-2026-42000 MEDIUM
6.8 May 21

Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-41999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy