CVE-2026-24029
ACL Bypass in Open-Xchange DoH Frontend via Disabled early_acl_drop
Publication date: 2026-03-31
Last updated on: 2026-04-14
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.12 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the early_acl_drop (earlyACLDrop in Lua) option is enabled on your DNS over HTTPS frontend using the nghttp2 provider. This setting is enabled by default, and disabling it causes the ACL check to be skipped, allowing all clients to send DoH queries regardless of the configured ACL.
Can you explain this vulnerability to me?
This vulnerability occurs when the early_acl_drop (earlyACLDrop in Lua) option is disabled on a DNS over HTTPS (DoH) frontend that uses the nghttp2 provider. Normally, this option is enabled by default to enforce access control lists (ACLs). When disabled, the ACL check is skipped, which means that all clients can send DoH queries regardless of the configured ACL restrictions.
How can this vulnerability impact me? :
Because the ACL check is bypassed, unauthorized clients may be able to send DNS over HTTPS queries through the affected frontend. This can lead to unauthorized use of the service, potential information disclosure, and increased risk of abuse or exploitation since the system cannot restrict access as intended.