CVE-2026-24281

medium

Red Hat

CVSS v3 Base Score

4.4

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N

Published: March 7, 2026

Last Modified: March 7, 2026

Vendor: Red Hat

Description

Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note that attacker must present a certificate which is trusted by ZKTrustManager which makes the attack vector harder to exploit. Users are recommended to upgrade to version 3.8.6 or 3.9.5, which fixes this issue by introducing a new configuration option to disable reverse DNS lookup in client and quorum protocols.

CWE

CWE-295

Affected Products

Red Hat AMQ Broker 7Red Hat build of Apache Camel for Spring Boot 4Red Hat build of Debezium 2Red Hat build of Debezium 3Red Hat Data Grid 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform 7Red Hat JBoss Enterprise Application Platform 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Offline Knowledge Portal

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 lists.apache.org

CVE-2026-24281

Vulnerability Report

Description

CWE

Affected Products

References