Apache ZooKeeper Vulnerability Exposes Sensitive Data to Attackers
A critical coordination service for distributed systems suffers from a serious flaw that leaks client configuration details into Apache ZooKeeper log files.
This vulnerability, tracked as CVE-2026-24308, allows attackers to retrieve sensitive information, such as credentials or connection strings, by accessing the logs.
At the heart of this issue lies ZKConfig’s sloppy handling of config values in ZooKeeper versions 3.8.0 to 3.8.5 and 3.9.0 to 3.9.4.
When clients connect, sensitive parameters like server endpoints or auth tokens get dumped straight into INFO-level logs without sanitization.
An attacker with log access, say via a compromised node or shared logging setup, reads these plaintext secrets. Picture a cluster where one weak server logs everything to a central system; boom, configs for the whole ensemble spill out.
CVE-2026-24281 piles on by weakening ZKTrustManager’s hostname verification. If IP SAN checks fail, it flips to reverse-DNS (PTR records), which attackers spoof easily if they hold a trusted cert for the PTR name.
This lets fake servers or clients impersonate legit ones in quorum or client protocols. Tracked under ZOOKEEPER-4986, the patch adds a config flag to kill reverse-DNS entirely. Reported in Apache Zookeeper
Both new CVEs overlap in affected ranges, so dual patching is non-negotiable for 3.8/3.9 users.
​Apache ZooKeeper Vulnerability
AdminServer woes run deep. CVE-2025-58457 lets semi-privileged clients run snapshot/restore without full perms, risking data dumps or overwrites, fix by toggling admin.snapshot.enabled or root ACL tightening.
Worse, CVE-2024-51504 exploits X-Forwarded-For header spoofing in IPAuthenticationProvider, skipping IP checks entirely for commands like snapshot.
Then there’s CVE-2024-23944’s critical watcher bug: addWatch on a parent znode you own triggers events exposing full child paths (usernames, IDs) sans ACLs, even if kids are locked down.
Older CVEs still bite unpatched setups. CVE-2023-44981 skips SASL quorum auth if instance IDs lack full format (e.g., “eve@EXAMPLE.COM”), letting rogues join and rewrite the data tree.
CVE-2019-0201 leaks unsalted Digest auth hashes via getACL(), handing crackers password fodder.
Quorum join flaws like CVE-2018-8012 allow fake peers without mutual auth, while early ones like CVE-2017-5637 enable CPU DoS via wchp/wchc 4lw commands, and CVE-2016-5017 overflows C CLI buffers on long inputs.​
Patch first: Target the latest stables like 3.9.5 or 3.8.6. Firewall client ports, disable risky 4lw/admin commands, enforce SASL/Kerberos over Digest, and lock ensembles behind VPNs.
Site: https://cybersecuritypath.com
About the Author
