Vulnerability in Apache Software Foundation Zookeeper
CVE-2026-24281
Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate…
EPSS: 0.000 (9.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Zookeeper — versions 3.9.0, 3.8.0
Weakness classification (CWE)
References
- lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2 (vendor-advisory)