Access Control Bypass in PowerDNS DNS over HTTPS Frontend
CVE-2026-24029

6.5MEDIUM

Key Information:

Vendor: Powerdns
Status: Dnsdist
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-24029?

An access control bypass vulnerability exists in the DNS over HTTPS frontend of PowerDNS when the early_acl_drop option is disabled. By default, this option is enabled, but if turned off, the Access Control List (ACL) checks are skipped. This misconfiguration allows any client to send DNS over HTTPS (DoH) queries without adhering to the established ACL rules. Consequently, unauthorized users could exploit this oversight, leading to potential abuse of DNS services.

Affected Version(s)

DNSdist 1.9.0 < 1.9.12

DNSdist 2.0.0 < 2.0.3

References

https://www.dnsdist.org/security-advisories/powerdns-advi...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Surya Narayan Kushwaha (aka Cavid)

CVE-2026-24029 Data

JSON