Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
7.4

Apache ZooKeeper: Spoofing ZooKeeper servers or clients with fake certificate

CVE-2026-24281 BIT-zookeeper-2026-24281 GHSA-7xrh-hqfc-g7qr GHSA-7xrh-hqfc-g7qr
Summary

Apache ZooKeeper's security checks can be bypassed by attackers who control or spoof DNS records. This allows them to pretend to be a trusted ZooKeeper server or client. To fix this, update to ZooKeeper version 3.8.6 or 3.9.5, which gives you a way to turn off a particular security check.

What to do
  • Update zookeeper to version 3.9.5.
  • Update org.apache.zookeeper:zookeeper to version 3.8.6.
  • Update org.apache.zookeeper:zookeeper to version 3.9.5.
Affected software
VendorProductAffected versionsFix available
zookeeper > 3.9.0 , <= 3.9.5 3.9.5
apache zookeeper > 3.8.0 , <= 3.8.6
apache zookeeper > 3.9.0 , <= 3.9.5
org.apache.zookeeper:zookeeper > 3.8.0 , <= 3.8.6 3.8.6
org.apache.zookeeper:zookeeper > 3.9.0 , <= 3.9.5 3.9.5
Original title
Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager
Original description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
Vulnerability type
CWE-295 Improper Certificate Validation
CWE-350
CWE-297
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026