CVE-2026-24308
Received Received - Intake
Information Exposure via Improper Logging in Apache ZooKeeper ZKConfig

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: Apache Software Foundation

Description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.Β Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24308
EUVD
EUVD-2026-10140
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache zookeeper From 3.8.0 (inc) to 3.8.6 (exc)
apache zookeeper From 3.9.0 (inc) to 3.9.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5, which fixes the issue of sensitive information exposure in client logfiles.


Can you explain this vulnerability to me?

This vulnerability involves improper handling of configuration values in the ZKConfig component of Apache ZooKeeper versions 3.8.5 and 3.9.4. It causes sensitive information stored in client configuration to be exposed in the client's logfile.

The sensitive configuration values are logged at the INFO level, which means they can be viewed in production system logs, potentially exposing confidential data.

The issue affects all platforms running the specified versions of Apache ZooKeeper.


How can this vulnerability impact me? :

This vulnerability can lead to exposure of sensitive information through log files, which may include confidential client configuration details.

If an attacker gains access to these log files, they could retrieve sensitive data that might be used to compromise the system or gain unauthorized access.

Such exposure can increase the risk of data breaches and undermine the security of production environments.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart