Information disclosure in Apache Zookeeper

CVE-2026-24308

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are…

EPSS: 0.011 (62.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2026-24308?
CVE-2026-24308 is a high-severity vulnerability in Apache Zookeeper, classified under Insertion of Sensitive Information into Log File. CVSS score: 7.5/10. Published 2026-03-07.
How severe is CVE-2026-24308?
High severity. CVSS v3 base score is 7.5 out of 10.