{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24029", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-01-20T14:56:25.872Z", "datePublished": "2026-03-31T11:59:12.903Z", "dateUpdated": "2026-03-31T13:15:37.448Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected", "modules": ["Incoming DNS over HTTPS"], "packageName": "dnsdist", "product": "DNSdist", "programFiles": ["dnsdist-nghttp2-in.cc"], "repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "versions": [{"lessThan": "1.9.12", "status": "affected", "version": "1.9.0", "versionType": "semver"}, {"lessThan": "2.0.3", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Surya Narayan Kushwaha (aka Cavid)"}], "datePublic": "2026-03-30T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.</p>"}], "value": "When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-31T11:59:12.903Z"}, "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html"}], "source": {"discovery": "UNKNOWN"}, "title": "DNS over HTTPS ACL bypass", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-863", "lang": "en", "description": "CWE-863 Incorrect Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T13:15:34.638851Z", "id": "CVE-2026-24029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:15:37.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T13:15:34.638851Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T13:15:30.408Z"}}], "cna": {"title": "DNS over HTTPS ACL bypass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Surya Narayan Kushwaha (aka Cavid)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "modules": ["Incoming DNS over HTTPS"], "product": "DNSdist", "versions": [{"status": "affected", "version": "1.9.0", "lessThan": "1.9.12", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.3", "versionType": "semver"}], "packageName": "dnsdist", "programFiles": ["dnsdist-nghttp2-in.cc"], "collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected"}], "datePublic": "2026-03-30T22:00:00.000Z", "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.", "supportingMedia": [{"type": "text/html", "value": "<p>When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Incorrect Authorization"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-03-31T11:59:12.903Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24029", "state": "PUBLISHED", "dateUpdated": "2026-03-31T13:15:37.448Z", "dateReserved": "2026-01-20T14:56:25.872Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-03-31T11:59:12.903Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "628B3B94-81DE-496E-B36A-B79A3DFFE1F4", "versionEndExcluding": "1.9.12", "versionStartIncluding": "1.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AC850DD-FDD8-4C48-B861-4BBAF423FF57", "versionEndExcluding": "2.0.3", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL."}], "id": "CVE-2026-24029", "lastModified": "2026-04-14T16:24:27.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@open-xchange.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T12:16:27.633", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.9.0,1.9.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "DNSdist", "source": "cna", "vendor": "PowerDNS"}, "product": "dnsdist", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-14T17:51:22.820590+00:00", "value": {"mitigation_remediation": ["Review the PowerDNS DNSdist security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the recommended fix.", "Ensure the early_acl_drop setting is enabled; the default is enabled, so verify that it remains so in the configuration file or through the control interface.", "If you need to modify ACL rules, maintain early_acl_drop enabled and use the standard ACL mechanisms to restrict traffic.", "Apply the latest DNSdist release available from the vendor, as newer versions may contain additional mitigations or runtime validations.", "If you must temporarily disable early_acl_drop, limit network access to the DNSdist instance using firewall rules or network segmentation to restrict denied clients."], "summary": {"action": "Patch", "impact": "Access Control Bypass"}, "threat_synthesis": {"affected_systems": "The flaw affects PowerDNS DNSdist deployments that expose a DoH frontend via the nghttp2 provider. Any configuration that turns off the early_acl_drop flag\u2014whether through the default setting change or intentional modification\u2014makes the server vulnerable. No particular software versions are listed, so any release that allows toggling this flag is susceptible.", "description_and_impact": "The vulnerability permits a DNS over HTTPS (DoH) client to bypass the configured ACL restrictions when the early_acl_drop option is disabled. This condition causes the ACL check to be skipped, allowing any IP address to send DoH queries to the DNSdist server. As a result, unauthorized clients can consume DNS services, potentially leading to service overutilization, traffic snooping, or covert DNS tunneling. The weakness corresponds to CWE-863, reflecting an improper restriction on the use of a resource.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity, and the EPSS value of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog, further indicating low known exploitation. Exploitation requires remote access to the DNSdist configuration or the presence of an enabled DoH interface that utilizes the nghttp2 provider while the early_acl_drop option is turned off. An attacker can then send DNS queries over HTTPS from any origin, bypassing ACL controls."}}}}, "created": "2026-03-31T19:54:49.976655+00:00", "updated": "2026-04-15T16:45:09.787672+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$dnsdist"]}