CVE-2026-24308

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Apache ZooKeeper versions 3.8.5 and 3.9.4

Description An issue exists in Apache ZooKeeper where improper handling of configuration values in ZKConfig can lead to the exposure of sensitive information. Specifically, client configuration data stored in the client's logfile may be revealed to an attacker. This occurs because configuration values are logged at the INFO level, potentially impacting production systems.

Recommendations Upgrade to Apache ZooKeeper version 3.8.6 or 3.9.5 to resolve this issue.

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

BIT-ZOOKEEPER-2026-24308

CLEANSTART-2026-AO61361

CLEANSTART-2026-CF62516

CLEANSTART-2026-EZ90321

CLEANSTART-2026-IS05941

CLEANSTART-2026-JK47870

CLEANSTART-2026-JU62349

CLEANSTART-2026-KV09488

CLEANSTART-2026-LO22603

CLEANSTART-2026-RD06185

CLEANSTART-2026-SQ91016

CLEANSTART-2026-SV95049

CLEANSTART-2026-WK99982

CVE-2026-24308

GHSA-CRHR-QQJ8-RPXC

Affected Products

Apache Zookeeper

CVE-2026-24308

Weakness Enumeration

Related Identifiers

Affected Products

References · 275