CVE-2026-0397 is a security vulnerability identified in PowerDNS DNSdist versions 1.9.0 and 2.0.0 related to the internal webserver component. When this internal webserver is enabled—a setting disabled by default—the Cross-Origin Resource Sharing (CORS) policy is misconfigured, allowing an overly permissive cross-domain whitelist. This misconfiguration enables an attacker to craft a malicious website that, when visited by an administrator logged into the DNSdist dashboard, can extract sensitive information about the running configuration. The vulnerability does not permit modification of data or disruption of service but compromises confidentiality by leaking configuration details. Exploitation requires no privileges but does require user interaction (the administrator must visit the malicious site). The CVSS 3.1 base score is 3.1, indicating a low severity due to the limited impact and attack complexity. No known exploits are currently in the wild. The root cause is a failure to properly restrict CORS origins, which is critical in web applications to prevent unauthorized cross-origin requests. Since the internal webserver is disabled by default, exposure is limited to environments where administrators have explicitly enabled it. This vulnerability highlights the importance of secure default configurations and careful CORS policy management in administrative interfaces.

The primary impact of CVE-2026-0397 is the potential unauthorized disclosure of sensitive configuration information from the DNSdist dashboard. Such information could include network topology, DNS routing rules, or other operational details that could aid attackers in further reconnaissance or targeted attacks. Although the vulnerability does not allow modification of data or denial of service, the leakage of configuration data can weaken an organization's security posture. The requirement for user interaction (administrator visiting a malicious site) limits the scope of exploitation but does not eliminate risk, especially in environments where administrators may be targeted via phishing or social engineering. Organizations relying on DNSdist for DNS load balancing or security may face increased risk of information leakage if the internal webserver is enabled with default or weak CORS settings. The impact is thus primarily on confidentiality, with no direct effect on integrity or availability.

To mitigate CVE-2026-0397, organizations should first verify whether the internal webserver in DNSdist is enabled; if not required, it should remain disabled to eliminate exposure. If the internal webserver is necessary, administrators must review and tighten the CORS policy to restrict allowed origins strictly to trusted domains, avoiding wildcard or overly broad allowances. Implement Content Security Policy (CSP) headers to reduce the risk of malicious script execution. Educate administrators about phishing and social engineering risks to prevent them from visiting untrusted or malicious websites while logged into the dashboard. Regularly update DNSdist to the latest versions where this vulnerability is addressed or patched. Network segmentation and access controls should limit dashboard access to trusted networks and users. Monitoring and logging access to the dashboard can help detect suspicious activity. Finally, consider deploying web application firewalls (WAFs) that can detect and block cross-origin attacks targeting the dashboard interface.