The vulnerability identified as CVE-2026-24281 affects Apache ZooKeeper versions 3.8.0 and 3.9.0. It stems from the hostname verification mechanism within the ZKTrustManager component, which is responsible for validating TLS certificates during secure communications. Normally, ZooKeeper validates the server or client identity by checking the IP address against the Subject Alternative Name (SAN) fields in the certificate. However, if this IP SAN validation fails, the system falls back to verifying the hostname via reverse DNS (PTR) lookup. This fallback reliance on reverse DNS is problematic because PTR records can be manipulated or spoofed by attackers who control DNS infrastructure or can poison DNS caches. By spoofing PTR records, an attacker can impersonate legitimate ZooKeeper servers or clients if they can also present a certificate trusted by ZKTrustManager for the PTR hostname. Although the attacker must have a trusted certificate, which limits the attack surface, the fallback behavior introduces a significant risk of impersonation and man-in-the-middle attacks. The Apache Software Foundation addressed this vulnerability in ZooKeeper versions 3.8.6 and 3.9.5 by introducing a configuration option to disable reverse DNS lookups in both client and quorum protocols, effectively removing the insecure fallback. No CVSS score has been assigned yet, and no exploits have been observed in the wild, but the vulnerability is publicly disclosed and should be treated seriously given ZooKeeper’s critical role in distributed systems coordination.

This vulnerability can lead to impersonation of ZooKeeper servers or clients, enabling attackers to intercept, manipulate, or disrupt communications within distributed systems that rely on ZooKeeper for coordination and configuration management. Such impersonation could facilitate man-in-the-middle attacks, unauthorized access, or injection of malicious commands, potentially compromising the integrity and availability of critical services dependent on ZooKeeper. Organizations using affected versions in production environments, especially those running distributed applications, cloud services, or large-scale data platforms, face risks of service disruption and data breaches. The requirement for a trusted certificate to exploit the vulnerability reduces the likelihood of widespread exploitation but does not eliminate the risk, particularly in environments where certificate management or trust boundaries are weak. The fallback to reverse DNS lookup also introduces a vector for DNS-based attacks, which can be leveraged in targeted attacks against high-value infrastructure.

Organizations should upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5 or later, where the vulnerability is fixed by disabling reverse DNS lookups by default or via configuration. If immediate upgrading is not feasible, administrators should manually disable reverse DNS lookups in the client and quorum protocols by setting the new configuration option introduced in the patched versions. Additionally, organizations should audit their certificate trust stores to ensure only legitimate certificates are trusted by ZKTrustManager, minimizing the risk of attackers presenting fraudulent certificates. Monitoring DNS infrastructure for suspicious PTR record changes and implementing DNS security measures such as DNSSEC can reduce the risk of PTR spoofing. Network segmentation and strict access controls around ZooKeeper nodes can further limit exposure. Finally, organizations should maintain vigilant logging and anomaly detection to identify potential misuse or impersonation attempts.