Hostname Verification Vulnerability in Apache ZooKeeper
CVE-2026-24281

5.9MEDIUM

Key Information:

Vendor: Apache
Status: Apache Zookeeper
Vendor: CVE Published:; 7 March 2026

What is CVE-2026-24281?

A vulnerability exists in Apache ZooKeeper's ZKTrustManager where hostname verification defaults to using reverse DNS (PTR) when IP Subject Alternative Name (SAN) validation fails. This can allow attackers controlling or spoofing PTR records to impersonate ZooKeeper servers or clients that hold valid certificates for the associated PTR name. To mitigate the risk, it is advised to upgrade to versions 3.8.6 or 3.9.5, which introduce a configuration option to disable reverse DNS lookup in client and quorum protocols.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache ZooKeeper 3.9.0 <= 3.9.4

Apache ZooKeeper 3.8.0 <= 3.8.5

References

https://lists.apache.org/thread/088ddsbrzhd5lxzbqf5n24yg0...

vendor-advisory

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 7, 2026
Vulnerability Reserved
Jan 21, 2026

Credit

Nikita Markevich <markevich.nikita1@gmail.com>

JSON

Apache

What is CVE-2026-24281?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.