CVE-2026-24281 is a vulnerability in Apache ZooKeeper's ZKTrustManager component related to hostname verification during TLS connections. When validating server or client certificates, ZooKeeper first checks the IP Subject Alternative Name (SAN) in the certificate. If this validation fails, it falls back to verifying the hostname via reverse DNS (PTR) lookup. This fallback mechanism is problematic because PTR records can be spoofed or controlled by an attacker, enabling them to impersonate legitimate ZooKeeper nodes by presenting a certificate trusted by the ZKTrustManager for the PTR hostname. The vulnerability is classified under CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action) and CWE-295 (Improper Certificate Validation). Exploiting this flaw requires the attacker to have a certificate trusted by the ZKTrustManager, which raises the bar for exploitation but does not eliminate risk. The impact is primarily on integrity, as attackers can impersonate nodes and potentially manipulate quorum decisions or client-server communications. No known exploits are currently in the wild. Apache fixed the issue in versions 3.8.6 and 3.9.5 by introducing a configuration option to disable reverse DNS lookups in client and quorum protocols, thereby removing the insecure fallback. Users running affected versions 3.8.0 and 3.9.0 are strongly advised to upgrade or apply mitigations to avoid impersonation attacks within their distributed coordination services.

The vulnerability undermines the integrity of ZooKeeper's authentication and authorization mechanisms by allowing attackers to impersonate legitimate servers or clients if they can spoof PTR records and present a trusted certificate. This can lead to unauthorized access, manipulation of distributed coordination data, and potential disruption of services relying on ZooKeeper for configuration management, leader election, or synchronization. While confidentiality and availability are not directly impacted, the integrity compromise can cascade into broader security issues, including unauthorized configuration changes or denial of service through malicious quorum manipulation. Organizations using affected versions in critical infrastructure, cloud services, or large-scale distributed systems face increased risk of targeted attacks aiming to disrupt or control their coordination services. The requirement for a trusted certificate limits the attack surface but does not eliminate it, especially in environments where certificate management is weak or compromised.

Organizations should upgrade Apache ZooKeeper to versions 3.8.6 or 3.9.5, which include a new configuration option to disable reverse DNS lookups in client and quorum protocols, effectively removing the insecure fallback. If immediate upgrade is not feasible, administrators should configure ZooKeeper to disable reverse DNS resolution explicitly, if supported, or restrict network access to ZooKeeper nodes to trusted hosts only, minimizing exposure to attackers capable of spoofing PTR records. Additionally, organizations should audit and tighten certificate issuance and trust policies to ensure that only authorized certificates are accepted by ZKTrustManager. Monitoring DNS records for unauthorized changes and implementing DNS security extensions (DNSSEC) can help detect or prevent PTR record spoofing. Regularly reviewing ZooKeeper logs for unusual authentication failures or unexpected node identities can aid in early detection of exploitation attempts. Finally, integrating ZooKeeper security with broader infrastructure security controls, such as network segmentation and strong identity management, will reduce the overall risk.