TSIG Authentication Flaw in CoreDNS Affects Multiple Transport Implementations by Cloudflare
CVE-2026-35579

8.2HIGH

Key Information:

Vendor: Coredns
Status: Coredns
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-35579?

A security flaw in CoreDNS, a DNS server implemented in Go, allows unauthenticated network attackers to bypass TSIG authentication across various transport implementations, specifically gRPC, QUIC, DoH, and DoH3. In versions before 1.14.3, the system fails to validate TSIG key authenticity correctly, treating requests as authenticated even when provided with invalid keys. This vulnerability permits unauthorized access to TSIG-protected operations such as AXFR/IXFR zone transfers and dynamic DNS updates, with the risk being particularly pronounced for DoH and DoH3, where attackers require no prior knowledge of valid TSIG key names. To mitigate the risk, users are advised to upgrade to version 1.14.3 or limit access to specific transport ports.

Affected Version(s)

coredns < 1.14.3

References

https://github.com/coredns/coredns/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35579 Data

JSON

Coredns

What is CVE-2026-35579?

Affected Version(s)

References

CVSS V4

Timeline