Incorrect authorization in dnsdist - CVE-2026-24029
Published: April 23, 2026
Vulnerability identifier: #VU126957
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-24029
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PowerDNS.COM B.V.
Affected software:
dnsdist
dnsdist
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass access controls for DNS over HTTPS queries.
The vulnerability exists due to improper access control in the DNS over HTTPS frontend using the nghttp2 provider when the early_acl_drop option is disabled. A remote attacker can send DoH queries to bypass access controls for DNS over HTTPS queries.
The issue occurs only on DNS over HTTPS frontends using the nghttp2 provider with early_acl_drop disabled.
How to mitigate CVE-2026-24029
Install security update from vendor's website.