CVE-2026-24308
Modified Modified - Updated After Analysis

Information Exposure via Improper Logging in Apache ZooKeeper ZKConfig

Vulnerability report for CVE-2026-24308, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-07

Last updated on: 2026-07-03

Assigner: Apache Software Foundation

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.Β Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-07
Last Modified
2026-07-03
Generated
2026-07-06
AI Q&A
2026-03-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
apache zookeeper From 3.8.0 (inc) to 3.8.6 (exc)
apache zookeeper From 3.9.0 (inc) to 3.9.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
CWE-117 The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Users are recommended to upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5, which fixes the issue of sensitive information exposure in client logfiles.

Executive Summary

This vulnerability involves improper handling of configuration values in the ZKConfig component of Apache ZooKeeper versions 3.8.5 and 3.9.4. It causes sensitive information stored in client configuration to be exposed in the client's logfile.

The sensitive configuration values are logged at the INFO level, which means they can be viewed in production system logs, potentially exposing confidential data.

The issue affects all platforms running the specified versions of Apache ZooKeeper.

Impact Analysis

This vulnerability can lead to exposure of sensitive information through log files, which may include confidential client configuration details.

If an attacker gains access to these log files, they could retrieve sensitive data that might be used to compromise the system or gain unauthorized access.

Such exposure can increase the risk of data breaches and undermine the security of production environments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart