Do Son 
The Apache Software Foundation has released an urgent security update for Apache ZooKeeper, the mission-critical service used by thousands of distributed applications for configuration, naming, and synchronization. The latest patches address two “important” vulnerabilities that, if left unchecked, could allow attackers to bypass core security checks or harvest sensitive production secrets from system logs.
The most significant threat in this update is CVE-2026-24281, a vulnerability in the ZKTrustManager component that undermines the “chain of trust” between ZooKeeper servers and their clients.
When ZooKeeper validates a connection, it primarily checks the IP Subject Alternative Name (SAN). However, researchers found that if this validation fails, the system improperly falls back to using Reverse-DNS (PTR) records to verify the host.
An attacker who can control or “spoof” a PTR record can trick ZooKeeper into verifying a connection from a malicious host.
This attack is “harder to exploit” because the attacker must still present a certificate that the ZKTrustManager already trusts. Nevertheless, for an attacker with an existing foothold or a compromised certificate, it provides a silent way to impersonate legitimate servers or clients.
The second flaw, CVE-2026-24308, involves a classic case of improper information handling within the ZKConfig class.
In affected versions, sensitive information stored in the client configuration—such as credentials or private keys—is inadvertently written to the client’s logfile. Crucially, these values are exposed at the INFO level logging, meaning standard production systems are likely recording these secrets by default. Any attacker or unauthorized user with read-access to the logs could harvest this data to facilitate further attacks.
The vulnerabilities impact the two most recent stable branches of the ZooKeeper project.
| Vulnerable Versions | Patched Version |
| 3.9.0 through 3.9.4 | 3.9.5 |
| 3.8.0 through 3.8.5 | 3.8.6 |
The Apache ZooKeeper team “strongly recommends” that users upgrade to the fixed versions immediately.
In addition to fixing the specific bugs, the new versions introduce a new configuration option that allows administrators to disable reverse DNS lookups entirely during hostname verification. Enabling this feature is considered a best practice for high-security environments to prevent future “fallback” style attacks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
