CVE-2026-24029EXPLOITEDPATCHED

powerdns · dnsdist

DNS over HTTPS ACL bypass

Description

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Affected Products

Vendor	Product	Versions
powerdns	dnsdist	1.9.0, 2.0.0

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-24029 | PowerDNS DNSdist up to 1.9.11/2.0.2 early_acl_drop Remote Code Execution

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available1.9.11, 2.0.2

PublishedMar 31, 2026

Last enriched2h agov2

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-24028EXP

Out-of-bounds read when parsing DNS packets via Lua

Trending: 53

MEDIUMCVE-2026-27853EXP

Out-of-bounds write when rewriting large DNS packets

Trending: 43

LOWCVE-2026-0396

HTML injection in the web dashboard

Trending: 36

MEDIUMCVE-2026-24030

Unbounded memory allocation for DoQ and DoH3

Trending: 33

MEDIUMCVE-2026-27854

Use after free when parsing EDNS options in Lua

Trending: 23

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 31, 2026

Discovered by ZDM

Mar 31, 2026

Updated: description, severity, activelyExploited, patchAvailable, cweIds, tags

Mar 31, 2026

Actively Exploited

Mar 31, 2026

Patch Available

Mar 31, 2026

Version History

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL, added description with details on Remote Code Execution, and noted that no exploit is available.

descriptionseverityactivelyExploitedpatchAvailablecweIdstags

via VulDB

v13h ago

Initial creation