Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Apache ZooKeeper allows attackers to impersonate servers with fake DNS records
DEBIAN-CVE-2026-24281
Summary
Apache ZooKeeper's hostname verification can be bypassed by attackers who control or fake DNS records, allowing them to pretend to be a trusted server. This can lead to security breaches. To fix this, update to version 3.8.6 or 3.9.5 and configure the system to disable reverse DNS lookups.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
Original title
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper s...
Original description
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.
- https://security-tracker.debian.org/tracker/CVE-2026-24281 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026