Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Insufficient Validation of Names During AXFR
AnalysisAI
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS records by exploiting insufficient validation of DNS names received during AXFR (zone transfer) processing. The CVSS changed-scope indicator (S:C) reflects that the high-integrity impact extends beyond the vulnerable server itself to all downstream systems consuming the corrupted zone data, enabling a form of DNS record poisoning. No public exploit has been identified at time of analysis, and the high attack complexity (AC:H) constrains exploitation to adversaries with specific network positioning or control over a zone transfer source.
Technical ContextAI
AXFR (Authoritative Full Transfer) is the DNS full zone transfer protocol defined in RFC 5936, used by secondary authoritative name servers to replicate complete zone data from a primary. PowerDNS Authoritative (CPE: cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*) is a widely deployed open-source authoritative DNS server. The vulnerability arises from insufficient validation of DNS name records during AXFR ingestion - when a secondary instance processes zone transfer data containing malformed or malicious names, the lack of proper validation allows those records to be accepted, stored, and subsequently served to DNS clients. No CWE classification was provided, which limits precise root-cause characterization, but the behavior is consistent with input validation failures (broadly analogous to CWE-20). The changed-scope CVSS vector confirms the integrity impact propagates to components beyond the vulnerable server, specifically the DNS resolution experience of clients relying on the affected zone.
RemediationAI
Patch available per vendor advisory - consult the PowerDNS security advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html for the exact fixed version, which was not independently confirmed from the provided data. As a compensating control pending upgrade, restrict zone transfer sources using PowerDNS's 'allow-axfr-ips' configuration directive to permit AXFR only from explicitly enumerated trusted primary IP addresses, reducing the attacker surface by limiting who can deliver zone transfer data to the server; note that IP-based restrictions alone remain vulnerable to source address spoofing on networks without BCP38 enforcement. Additionally, deploy TSIG (Transaction Signature, RFC 2845) authentication on all zone transfer channels, which provides cryptographic verification of the AXFR source and prevents injection from unauthorized or spoofed primaries; this requires coordinated symmetric key management across all DNS peering relationships and introduces operational overhead if keys must be rotated. Deployments functioning solely as primary servers and never receiving AXFR data are not exposed to this specific vulnerability path.
More in Authoritative
View allPowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this
PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi
PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, cor
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31261
GHSA-cmjg-f724-5qh3