Two “Important” severity vulnerabilities have been disclosed in Apache ZooKeeper, a widely used service for configuration management and naming in distributed applications, making timely security updates critical.
These newly discovered flaws could allow attackers to access sensitive configuration data or bypass hostname verification to impersonate trusted servers. Both vulnerabilities affect ZooKeeper versions 3.8. x and 3.9. x branches.
Apache ZooKeeper Vulnerability
The first vulnerability, tracked as CVE-2026-24308, involves the disclosure of sensitive information.
Discovered by researcher Youlong Chen, this flaw occurs due to the improper handling of configuration values in the ZKConfig component.
When a client connects, sensitive configuration data is accidentally printed to the client’s log file at the default INFO logging level.
This means any unauthorized user or attacker with access to the system’s log files could quietly steal sensitive production data without triggering alarms.
The second issue, tracked as CVE-2026-24281 (and internally as ZOOKEEPER-4986), is a hostname verification bypass discovered by Nikita Markevich.
In the ZKTrustManager component, if IP Subject Alternative Name (SAN) validation fails, the system automatically falls back to a reverse DNS (PTR) lookup.
An attacker who controls or spoofs PTR records can exploit this behavior to impersonate valid ZooKeeper servers or clients.
While the attacker must still present a certificate trusted by ZKTrustManager, which makes this harder to exploit, a successful attack completely undermines the system’s trust model.
To protect infrastructure from these threats, Apache highly recommends that administrators immediately upgrade their ZooKeeper installations to the patched versions.
The official fixes are available in Apache ZooKeeper versions 3.8.6 and 3.9.5. Applying these updates resolves the logging exposure flaw, ensuring that ZKConfig no longer leaks sensitive values into local files.
Furthermore, the updates fix the hostname bypass issue by introducing a new configuration option that turns off reverse DNS lookups for both the client and quorum protocols.
In addition to patching, security teams should actively review their logging environments to ensure no historically sensitive data remains exposed in older, archived log files.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
