CVE-2026-26017

High

Published: 06 March 2026

Published

06 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0002 6.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26017 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Coredns.Io Coredns. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique DNS (T1590.002); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to DNS (T1590.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of the CoreDNS plugin execution order flaw, directly preventing the TOCTOU-based DNS access control bypass.

CM-6 Configuration Settings partial match

prevent

Mandates secure configuration settings for CoreDNS, such as ordering rewrite plugins before acl plugins, to mitigate the default execution order vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects the CoreDNS plugin order issue (CVE-2026-26017), enabling proactive remediation to prevent access control bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1590.002 DNS Reconnaissance

Adversaries may gather information about the victim's DNS that can be used during targeting.

attack.mitre.org →

Why these techniques?

ACL bypass in CoreDNS directly enables unauthorized DNS queries against restricted zones/records, facilitating Gather Victim Network Information via DNS lookups (T1590.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before…

the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.

Deeper analysisAI

CVE-2026-26017 is a logical vulnerability in CoreDNS, a DNS server that chains plugins, affecting versions prior to 1.14.2. The issue stems from the default execution order of plugins, where security plugins such as acl are evaluated before the rewrite plugin. This creates a Time-of-Check Time-of-Use (TOCTOU) flaw, classified as CWE-367, that allows DNS access controls to be bypassed. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

Attackers with low privileges can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables a scoped impact with high confidentiality consequences, allowing unauthorized access to sensitive DNS data by circumventing access control mechanisms.

CoreDNS has patched this issue in version 1.14.2. Security practitioners should upgrade to this version or later. Additional mitigation details are available in the CoreDNS release notes at https://github.com/coredns/coredns/releases/tag/v1.14.2 and the GitHub security advisory at https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr.