## Apache ZooKeeper CVE-2026-24281: Hostname Verification Flaw Allows Server Impersonation via Spoofed DNS
A critical vulnerability in Apache ZooKeeper's ZKTrustManager can allow attackers to impersonate trusted servers or clients. The flaw, tracked as CVE-2026-24281, stems from a fallback mechanism in hostname verification. When validation of an IP address in a certificate's Subject Alternative Name (IP SAN) fails, the system insecurely falls back to performing a reverse DNS (PTR) lookup. An attacker who can control or spoof these PTR records can present a valid certificate for the spoofed hostname, effectively bypassing authentication safeguards.

The vulnerability affects the widely used distributed coordination service, Apache ZooKeeper, specifically version 3.9.4. While exploitation requires the attacker to present a certificate already trusted by the ZKTrustManager—a factor that complicates the attack—the potential impact is significant for systems relying on ZooKeeper for cluster management and configuration. The core weakness, classified under CWE-295 (Improper Certificate Validation), undermines the integrity of both client and quorum communication protocols.

The Apache ZooKeeper project has released patches in versions 3.8.6 and 3.9.5. The fix introduces a new configuration option that allows administrators to disable the insecure reverse DNS lookup fallback entirely. Organizations using vulnerable versions are under immediate pressure to apply these updates to prevent potential man-in-the-middle attacks and unauthorized access within their distributed architectures.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-24281, Apache ZooKeeper, Security Vulnerability, Authentication Bypass, DNS Spoofing
- **Credibility**: unverified
- **Published**: 2026-04-01 12:27:21
- **ID**: 45320
- **URL**: https://whisperx.ai/en/intel/45320