Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Insufficient Validation of Autoprimary SOA Queries
AnalysisAI
Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received via the Autoprimary (formerly 'supermaster') replication mechanism, allowing unauthenticated network-based attackers to disrupt service availability. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with availability-only impact, and no public exploit identified at time of analysis. The OX-reported issue is documented in PowerDNS Security Advisory 2026-06.
Technical ContextAI
PowerDNS Authoritative Server is an open-source authoritative DNS nameserver (CPE cpe:2.3:a:powerdns:authoritative) widely deployed by ISPs, hosting providers, and enterprises. The Autoprimary feature lets the server automatically provision new zones when it receives a NOTIFY/SOA query from a trusted upstream primary, removing the need to manually pre-configure each slave zone. The vulnerability lies in how incoming SOA queries within this Autoprimary code path are validated; insufficient input checks (no CWE was assigned, but the behavior aligns with improper input validation classes such as CWE-20) let a crafted SOA query disrupt the server. Because SOA handling sits in the DNS query path, the flaw is exposed wherever the authoritative service listens for DNS traffic and Autoprimary is enabled.
RemediationAI
Patch available per vendor advisory: upgrade PowerDNS Authoritative Server to the fixed release identified in PowerDNS Security Advisory 2026-06 (https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html); exact fix versions are not reproduced in the provided input, so consult the advisory for the precise build. Until you can patch, the most effective compensating control is to disable the Autoprimary feature (set autosecondary=no / remove the legacy supermaster configuration) - the side effect is that new zones can no longer be auto-provisioned and must be configured manually. If Autoprimary must remain enabled, restrict inbound DNS (UDP/TCP 53) at the network edge so that only known primary IPs can reach the authoritative server's query interface, and place the management interface behind an ACL; the trade-off is operational overhead when primaries change addresses. Do not rely on rate limiting alone, as a single malformed SOA may be sufficient to trigger the condition.
More in Authoritative
View allPowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this
PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high
A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi
Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec
PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, cor
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31259
GHSA-mxqj-8r4c-fp83