CVE-2026-33489

Name of the Vulnerable Software and Affected Versions CoreDNS (affected versions not specified)

Description The transfer plugin in CoreDNS contains an issue where the wrong Access Control List (ACL) stanza may be selected when both a parent zone and a more-specific subzone are configured. Although intended to follow a longest zone match logic, the longestMatch() function in plugin/transfer/transfer.go utilizes lexicographic string comparison to determine the winning rule. Consequently, a permissive parent-zone transfer rule can override a restrictive subzone rule if the parent zone's name is lexicographically greater than the subzone's name. This allows unauthorized clients to perform AXFR (Full Zone Transfer) or IXFR (Incremental Zone Transfer) for the subzone and retrieve its zone contents.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.