CVE-2026-24281
Published: 07 March 2026
Summary
CVE-2026-24281 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Apache Zookeeper. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
When certificates are used to establish component provenance, the control requires correct certificate validation procedures.
Mandates approved trust anchors and issuance policies, directly preventing acceptance of unvalidated or untrusted certificates.
Correct system time is required for proper enforcement of certificate notBefore/notAfter dates and time-based revocation checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in ZKTrustManager enables network exploitation of public-facing ZooKeeper instances (T1190) via improper cert validation fallback to PTR records, directly facilitating adversary-in-the-middle impersonation of servers/clients (T1557).
NVD Description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's…
more
important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Deeper analysisAI
CVE-2026-24281 is a vulnerability in the hostname verification logic of Apache ZooKeeper's ZKTrustManager component. When IP Subject Alternative Name (SAN) validation fails during TLS certificate checks, the implementation falls back to reverse DNS (PTR record) lookups. This affects Apache ZooKeeper versions prior to 3.8.6 and 3.9.5, enabling attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients if they possess a certificate trusted by the ZKTrustManager. The issue is classified under CWE-295 (Improper Certificate Validation) and CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action), with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
An attacker can exploit this over the network with high attack complexity and no privileges or user interaction required. Exploitation requires the adversary to spoof or control the PTR record for the target's IP address and present a valid, trusted certificate matching the PTR-resolved hostname. Successful exploitation allows impersonation of legitimate ZooKeeper servers or clients, potentially leading to high confidentiality and integrity impacts, such as unauthorized access to ZooKeeper ensembles or man-in-the-middle attacks on client-quorum communications.
Apache advisories recommend upgrading to ZooKeeper 3.8.6 or 3.9.5, which address the issue by introducing a new configuration option to disable reverse DNS lookups in client and quorum protocols. Details are available in the Apache mailing list announcement at https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/07/4.
Details
- CWE(s)