PT-2026-29244 · Nghttp2 · Nghttp2
Cavid
+1
·
Published
2026-01-01
·
Updated
2026-04-24
·
CVE-2026-24029
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
versions prior to the fix for CVE-2026-24029
Description
When the
early acl drop (or earlyACLDrop in Lua) option is disabled, and a DNS over HTTPs frontend is utilizing the nghttp2 provider, the Access Control List (ACL) check is bypassed. This allows all clients to submit DNS over HTTPS (DoH) queries, irrespective of the configured ACL rules. The default setting for early acl drop is enabled.Recommendations
Ensure the
early acl drop option is enabled.Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nghttp2