Apache ZooKeeper Vulnerability Exposes Sensitive Data to Attackers
Apache has disclosed two important security vulnerabilities in Apache ZooKeeper that could allow attackers to expose sensitive configuration data and bypass hostname verification in distributed systems. Both flaws affect ZooKeeper versions 3.8.x and 3.9.x and have been assigned CVEs with an “important” severity rating.
Apache ZooKeeper is a widely used open-source coordination service for distributed applications, making these vulnerabilities particularly significant for production environments running microservices, Kafka clusters, and Hadoop ecosystems.
The first flaw, CVE-2026-24308, stems from improper handling of configuration values in the ZKConfig component. When ZooKeeper processes client configurations, sensitive values are inadvertently written to the client’s log file at the INFO logging level a level commonly enabled in production environments.
This means any attacker or insider with read access to log files could extract credentials, connection strings, or other sensitive configuration data without needing elevated privileges or exploiting any network-level weakness.
The issue affects all platforms running Apache ZooKeeper 3.8.0–3.8.5 and 3.9.0–3.9.4. The vulnerability was reported by Youlong Chen of the Institute of Computing Technology, Chinese Academy of Sciences.
The second vulnerability, CVE-2026-24281 (tracked as ZOOKEEPER-4986), targets the ZKTrustManager component responsible for TLS hostname verification. When IP Subject Alternative Name (SAN) validation fails, ZooKeeper falls back to reverse DNS (PTR record) lookup to verify the server’s identity.
An attacker who controls or spoofs PTR records could impersonate a legitimate ZooKeeper server or client, provided they present a certificate trusted by ZKTrustManager.
While the requirement to hold a trusted certificate raises the bar for exploitation, the attack remains a credible threat in environments where certificate issuance is loosely controlled or where DNS infrastructure is not adequately secured. This flaw was reported by Nikita Markevich.
| CVE ID | Component | CVSS Severity | Affected Versions | Fix Version |
|---|---|---|---|---|
| CVE-2026-24308 | ZKConfig | Important | 3.8.0–3.8.5, 3.9.0–3.9.4 | 3.8.6, 3.9.5 |
| CVE-2026-24281 | ZKTrustManager | Important | 3.8.0–3.8.5, 3.9.0–3.9.4 | 3.8.6, 3.9.5 |
Apache has released patched versions to address both vulnerabilities. Version 3.9.5 introduces a new configuration option to explicitly disable reverse DNS lookup in both client and quorum protocols, directly addressing the hostname bypass issue, said by ApachezooKeeper.
Recommended actions for security teams:
- Upgrade immediately to Apache ZooKeeper 3.8.6 or 3.9.5
- Audit log file permissions to restrict access to ZooKeeper client logs in the interim
- Disable reverse DNS fallback using the new configuration option available in 3.9.5
- Review certificate issuance policies to limit exposure from the ZKTrustManager bypass
- Monitor ZooKeeper logs for unexpected configuration value exposure
Organizations running ZooKeeper in production especially those supporting Kafka, HBase, or cloud-native workloads should treat these patches as high priority given the sensitive nature of the data at risk.
Site: cybersecuritypath.com
About the Author
