Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Apache ZooKeeper 3.8.5 and 3.9.4: Sensitive client info exposed in logs
UBUNTU-CVE-2026-24308
Summary
Apache ZooKeeper versions 3.8.5 and 3.9.4 may leak sensitive client information in their logs. This could be a security risk if the logs are accessible to unauthorized people. To fix this, update to versions 3.8.6 or 3.9.5.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
| canonical | zookeeper | All versions | – |
Original title
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the c...
Original description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
- https://ubuntu.com/security/CVE-2026-24308 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-24308 Third Party Advisory
- https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr Third Party Advisory
- http://www.openwall.com/lists/oss-security/2026/03/07/5 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026