Cyber Resilience

CVE-2026-24281

High

Published: 07 March 2026

Published
07 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0003 9.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24281 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Apache Zookeeper. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-3 (Device Identification and Authentication) and SC-17 (Public Key Infrastructure Certificates).

Deeper analysis

CVE-2026-24281 is a vulnerability in the hostname verification logic of Apache ZooKeeper's ZKTrustManager component. When IP Subject Alternative Name (SAN) validation fails during TLS certificate checks, the implementation falls back to reverse DNS (PTR record) lookups. This affects Apache ZooKeeper versions prior to 3.8.6 and 3.9.5, enabling attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients if they possess a certificate trusted by the ZKTrustManager. The issue is classified under CWE-295 (Improper Certificate Validation) and CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action), with a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

An attacker can exploit this over the network with high attack complexity and no privileges or user interaction required. Exploitation requires the adversary to spoof or control the PTR record for the target's IP address and present a valid, trusted certificate matching the PTR-resolved hostname. Successful exploitation allows impersonation of legitimate ZooKeeper servers or clients, potentially leading to high confidentiality and integrity impacts, such as unauthorized access to ZooKeeper ensembles or man-in-the-middle attacks on client-quorum communications.

Apache advisories recommend upgrading to ZooKeeper 3.8.6 or 3.9.5, which address the issue by introducing a new configuration option to disable reverse DNS lookups in client and quorum protocols. Details are available in the Apache mailing list announcement at https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/07/4.

EU & UK References

Vulnerability details

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's…

more

important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability in ZKTrustManager enables network exploitation of public-facing ZooKeeper instances (T1190) via improper cert validation fallback to PTR records, directly facilitating adversary-in-the-middle impersonation of servers/clients (T1557).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24308Same product: Apache Zookeeper
CVE-2026-24734Same vendor: Apache
CVE-2025-66614Same vendor: Apache
CVE-2026-31923Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache
CVE-2026-40961Same vendor: Apache

Affected Assets

apache
zookeeper
3.8.0 — 3.8.6 · 3.9.0 — 3.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper PKI certificate validation and management, which the flawed ZKTrustManager reverse-DNS fallback violates.

prevent

Mandates cryptographic device identification and authentication for ZooKeeper nodes, preventing the impersonation enabled by weak PTR-based hostname verification.

prevent

Requires cryptographic protection of transmission integrity, which depends on correct certificate hostname validation that CVE-2026-24281 undermines.

References