Main Vulnerability Database Vulnerabilities #VU131983

Improper access control in PowerDNS Authoritative - CVE-2026-41999

Published: May 20, 2026

Vulnerability identifier: #VU131983

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-41999

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PowerDNS.COM B.V.

Affected software:
PowerDNS Authoritative

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in view selection for TCP PROXY requests when handling a TCP query using the PROXY protocol. A remote attacker can send a TCP query using the PROXY protocol to disclose sensitive information.

When views are enabled, the selected view is based on the proxy address rather than the original client address, which can result in wrong data being returned.

How to mitigate CVE-2026-41999

Install security update from vendor's website.

Sources

https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-06.html

Improper access control in PowerDNS Authoritative - CVE-2026-41999

Detailed vulnerability description

How to mitigate CVE-2026-41999

Sources

Please verify you're human