Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Apache ZooKeeper 3.8.5 and 3.9.4 Exposes Sensitive Client Info in Log Files
DEBIAN-CVE-2026-24308
Summary
Apache ZooKeeper versions 3.8.5 and 3.9.4 on all systems can leak sensitive information about client configurations into log files. This could lead to unauthorized access to important data. To fix this, update to version 3.8.6 or 3.9.5.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
| debian | zookeeper | All versions | – |
Original title
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the c...
Original description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
- https://security-tracker.debian.org/tracker/CVE-2026-24308 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026