CVE-2026-24029 is a vulnerability identified in PowerDNS DNSdist versions 1.9.0 and 2.0.0 that affects the DNS over HTTPS (DoH) frontend when using the nghttp2 provider. The root cause is the incorrect handling of the early_acl_drop (earlyACLDrop in Lua) configuration option. By default, early_acl_drop is enabled, which ensures that access control list (ACL) checks are performed early in the request processing pipeline to restrict which clients can send DoH queries. However, if this option is disabled, the ACL check is skipped entirely, allowing any client to send DoH queries regardless of the ACL settings. This bypass undermines the intended access restrictions, potentially allowing unauthorized clients to query the DNSdist server over DoH. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely over the network. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and partial impact on confidentiality and integrity, but no impact on availability. No known exploits have been reported in the wild to date. The issue is specific to configurations where early_acl_drop is disabled, which is not the default setting, but may be changed by administrators for specific use cases. DNSdist is widely used in DNS infrastructure to provide load balancing, security, and DoH capabilities, making this vulnerability relevant to organizations deploying DNSdist as a DoH frontend. The vulnerability highlights the importance of proper ACL enforcement in DNS services to prevent unauthorized query access and potential information leakage or misuse.

The primary impact of CVE-2026-24029 is the bypass of access control restrictions on DNS over HTTPS queries handled by PowerDNS DNSdist. Unauthorized clients can send DoH queries even if they are not permitted by the configured ACL, potentially exposing internal DNS infrastructure to untrusted users. This can lead to information disclosure about internal network names or DNS configurations, undermining confidentiality. Additionally, attackers could leverage this access to perform DNS query manipulation or reconnaissance, impacting data integrity. Although the vulnerability does not directly affect availability, the increased unauthorized query load could degrade service performance or be leveraged in broader DNS abuse scenarios. Organizations relying on DNSdist for secure DoH frontends may face increased risk of DNS abuse, data leakage, and reduced trust in their DNS services. The lack of authentication and user interaction requirements increases the ease of exploitation, making it a significant concern for internet-facing DNS services. The vulnerability is particularly impactful for organizations enforcing strict client-based ACLs to limit DNS query access, such as ISPs, cloud providers, and enterprises with sensitive DNS data. Failure to address this issue could lead to unauthorized DNS traffic, complicating incident response and increasing exposure to DNS-based attacks.

To mitigate CVE-2026-24029, organizations should first verify the configuration of the early_acl_drop (earlyACLDrop in Lua) option on their DNSdist DoH frontends using the nghttp2 provider. Since the default setting is enabled, ensure it has not been disabled inadvertently or for specific custom configurations. Re-enabling early_acl_drop will restore proper ACL enforcement and prevent unauthorized clients from sending DoH queries. Additionally, administrators should monitor DNSdist logs for unusual or unauthorized DoH query activity that could indicate exploitation attempts. If available, upgrade DNSdist to patched versions that explicitly address this vulnerability once released by PowerDNS. In the absence of patches, consider implementing network-level controls such as firewall rules or DoH proxy restrictions to limit access to trusted clients only. Regularly audit DNSdist configurations and ACLs to ensure they align with security policies. Employ DNS query logging and anomaly detection to identify potential misuse. Finally, maintain awareness of updates from PowerDNS and the security community regarding this vulnerability and related threats.