PT-2026-29244 · Nghttp2 · Nghttp2

Cavid

+1

·

Publicado

2026-01-01

·

Atualizado

2026-04-24

·

CVE-2026-24029

CVSS v3.1

6.5

Média

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions versions prior to the fix for CVE-2026-24029
Description When the early acl drop (or earlyACLDrop in Lua) option is disabled, and a DNS over HTTPs frontend is utilizing the nghttp2 provider, the Access Control List (ACL) check is bypassed. This allows all clients to submit DNS over HTTPS (DoH) queries, irrespective of the configured ACL rules. The default setting for early acl drop is enabled.
Recommendations Ensure the early acl drop option is enabled.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-863

Identificadores relacionados

CVE-2026-24029
SUSE-SU-2026:1618-1

Produtos afetados

Nghttp2