CVE-2026-24281 Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager

🗓️ 07 Mar 2026 08:50:32Reported by apacheType

CVE-2026-24281: ZooKeeper ZKTrustManager may bypass hostname verification via reverse domain name fallback.

Reporter	Title	Published	Views	Family All 78
IBM Security Bulletins	Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale Management GUI, Cluster Export Services (CES) S3 or HDFS layer are now fixed in 5.2.3.8 and 6.0.1.0 or higher	5 Jun 202619:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Operational Decision Manager for April 2026 - Multiple CVEs addressed	29 May 202610:57	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in zookeeper-3.8.4.jar	28 Apr 202619:11	–	ibm
ATTACKERKB	CVE-2026-24281	7 Mar 202608:50	–	attackerkb
Tenable Nessus	Apache ZooKeeper 3.8.x < 3.8.6 / 3.9.x < 3.9.5 Multiple Vulnerabilities	12 Mar 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2026-24281	10 Mar 202600:00	–	nessus
Chainguard	CVE-2026-24281 vulnerabilities	12 Mar 202607:18	–	cgr
Circl	CVE-2026-24281	7 Mar 202608:16	–	circl
CNNVD	Apache Zookeeper 安全漏洞	7 Mar 202600:00	–	cnnvd
CVE	CVE-2026-24281	7 Mar 202608:50	–	cve

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.zookeeper:zookeeper",
    "product": "Apache ZooKeeper",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "3.9.4",
        "status": "affected",
        "version": "3.9.0",
        "versionType": "maven"
      },
      {
        "lessThanOrEqual": "3.8.5",
        "status": "affected",
        "version": "3.8.0",
        "versionType": "maven"
      }
    ]
  }
]

Source	Link
lists	www.lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0mwh9jt2

07 Mar 2026 08:50Current

EPSS0.0003