CVE-2026-24308
Received Received - Intake
Information Exposure via Improper Logging in Apache ZooKeeper ZKConfig

Publication date: 2026-03-07

Last updated on: 2026-03-10

Assigner: Apache Software Foundation

Description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue.Β Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24308
EUVD
EUVD-2026-10140
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache zookeeper From 3.8.0 (inc) to 3.8.6 (exc)
apache zookeeper From 3.9.0 (inc) to 3.9.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

Users are recommended to upgrade Apache ZooKeeper to version 3.8.6 or 3.9.5, which fixes the issue of sensitive information exposure in client logfiles.

Executive Summary

This vulnerability involves improper handling of configuration values in the ZKConfig component of Apache ZooKeeper versions 3.8.5 and 3.9.4. It causes sensitive information stored in client configuration to be exposed in the client's logfile.

The sensitive configuration values are logged at the INFO level, which means they can be viewed in production system logs, potentially exposing confidential data.

The issue affects all platforms running the specified versions of Apache ZooKeeper.

Impact Analysis

This vulnerability can lead to exposure of sensitive information through log files, which may include confidential client configuration details.

If an attacker gains access to these log files, they could retrieve sensitive data that might be used to compromise the system or gain unauthorized access.

Such exposure can increase the risk of data breaches and undermine the security of production environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart