Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-24308PATCHED

apache · zookeeper

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the clie

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

Affected Products

Vendor	Product	Versions
apache	zookeeper	< 3.8.6, < 3.9.5

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	tivoli network	cert_advisory	90%

References

https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr(Mailing List, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/03/07/5(Mailing List, Third Party Advisory)

Related News (1 articles)

Tier B

BSI Advisories18h ago

[NEU] [hoch] IBM Tivoli Network Manager: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.8.63.9.5

CWECWE-532

PublishedMar 7, 2026

Last enriched8d ago

Trending Score25

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 7, 2026

Patch Available

Mar 10, 2026

Discovered by ZDM

Apr 1, 2026