Surya Narayan Kushwaha

**Name of the Vulnerable Software and Affected Versions** Versions (affected versions not specified) **Description** A misconfiguration of the Cross-Origin Resource Sharing (CORS) policy exists when the internal webserver is enabled. An attacker may be able to trick an administrator logged into the dashboard into visiting a malicious website, potentially allowing the extraction of information about the running configuration from the dashboard. CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from making requests to a different domain than the one which served the web page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** versions prior to the fix for CVE-2026-24029 **Description** When the `early acl drop` (or `earlyACLDrop` in Lua) option is disabled, and a DNS over HTTPs frontend is utilizing the nghttp2 provider, the Access Control List (ACL) check is bypassed. This allows all clients to submit DNS over HTTPS (DoH) queries, irrespective of the configured ACL rules. The default setting for `early acl drop` is enabled. **Recommendations** Ensure the `early acl drop` option is enabled.