Zero Day MonitorZDM

← Back to list

7.4

CVE-2026-24281PATCHED

apache · zookeeper

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper serv

Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

Affected Products

Vendor	Product	Versions
apache	zookeeper	< 3.8.6, < 3.9.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	tivoli network	cert_advisory	90%

References

https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2(Mailing List, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/03/07/4(Mailing List, Third Party Advisory)

Related News (1 articles)

Tier B

BSI Advisories18h ago

[NEU] [hoch] IBM Tivoli Network Manager: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.17.4 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.8.63.9.5

CWECWE-295, CWE-350, CWE-295

PublishedMar 7, 2026

Last enriched8d ago

Trending Score25

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 7, 2026

Patch Available

Mar 10, 2026

Discovered by ZDM

Apr 1, 2026