CVE-2026-24281

CVSS v3.1

7.4

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions prior to 3.8.6 Apache ZooKeeper versions prior to 3.9.5

Description A flaw exists in the hostname verification process within Apache ZooKeeper’s ZKTrustManager. When IP Subject Alternative Name (SAN) validation fails, the system incorrectly falls back to reverse DNS (PTR) record lookup. This allows attackers who control or manipulate PTR records to potentially impersonate ZooKeeper servers or clients, even when presenting a certificate trusted by the ZKTrustManager. Successful exploitation requires the attacker to possess a certificate that is already trusted by the system, making the attack more complex.

Recommendations Upgrade to Apache ZooKeeper version 3.8.6. Upgrade to Apache ZooKeeper version 3.9.5.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-297CWE-295CWE-350

Related Identifiers

BIT-ZOOKEEPER-2026-24281

CLEANSTART-2026-AO61361

CLEANSTART-2026-AV84730

CLEANSTART-2026-CF62516

CLEANSTART-2026-DY69070

CLEANSTART-2026-EZ90321

CLEANSTART-2026-GN46454

CLEANSTART-2026-IS05941

CLEANSTART-2026-JK47870

CLEANSTART-2026-JU62349

CLEANSTART-2026-KB76878

CLEANSTART-2026-KV09488

CLEANSTART-2026-LO22603

CLEANSTART-2026-RD06185

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SR31778

CLEANSTART-2026-SV95049

CLEANSTART-2026-TK07726

CLEANSTART-2026-VN28553

CLEANSTART-2026-WK99982

CVE-2026-24281

GHSA-7XRH-HQFC-G7QR

Affected Products

Apache Zookeeper

CVE-2026-24281

Weakness Enumeration

Related Identifiers

Affected Products

References · 303