Skip to main content

NSD EUVDEUVD-2026-39185

| CVE-2026-12490 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-25 NLnet Labs GHSA-27xx-c7vg-hjjj
8.2
CVSS 4.0 · Vendor: NLnet Labs
Share

Severity by source

Vendor (NLnet Labs) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Network-reachable with no auth (the missing client-cert check is the flaw, PR:N); AC:H because it depends on a tls-auth-name config and matching provide-xfr conditions; impact is zone disclosure only (C:H, I:N, A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
7.5 MEDIUM
qualitative

Primary rating from Vendor (NLnet Labs).

CVSS VectorVendor: NLnet Labs

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 08:01 EUVD
Analysis Generated
Jun 25, 2026 - 07:01 vuln.today

DescriptionCVE.org

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

AnalysisAI

Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents without presenting the required TLS client certificate. Although a provide-xfr rule specifies a tls-auth-name (mandating client-certificate authentication), NSD only enforces this on the dedicated tls-auth-port; requests arriving over plain TCP on the regular port or over TLS on the regular tls-port are served when the remaining provide-xfr conditions match, defeating mutual-TLS access control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify NSD with XFR-over-TLS client-cert config
Delivery
Connect to regular tls-port or TCP port without client cert
Exploit
Satisfy provide-xfr match conditions
Execution
Send AXFR/IXFR request
Impact
Receive full zone data (auth bypassed)

Vulnerability AssessmentAI

Exploitation Requires the target NSD to have a provide-xfr rule configured with a tls-auth-name (i.e., XFR-over-TLS client-certificate authentication is in use) - this is not NSD's default and is the core prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a credible, prioritizable confidentiality issue rather than a high-score-low-risk artifact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an NSD server's regular tls-port or plain TCP DNS port - and who meets the provide-xfr rule's other conditions such as a permitted source address - issues an AXFR request without any client certificate and receives the full zone contents that were supposed to be protected by mutual-TLS authentication. No public POC is referenced; AC:H reflects the dependence on a specific tls-auth-name configuration and on satisfying the rule's remaining match conditions.
Remediation Upgrade NSD to the patched release referenced in the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt (patch available per vendor advisory; the exact fixed version is not included in the provided data and must be taken from that advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running NLnet Labs NSD and audit secondary nameserver configurations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important

Share

EUVD-2026-39185 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy