Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26017 is a high-severity logical vulnerability in CoreDNS versions prior to 1.14.2 that allows DNS access control lists (ACLs) to be bypassed due to the default execution order of plugins.'}, {'type': 'paragraph', 'content': 'Specifically, security plugins like "acl" are evaluated before the "rewrite" plugin, creating a Time-of-Check to Time-of-Use (TOCTOU) flaw. This means that the ACL check happens before the DNS request is rewritten, allowing an attacker to bypass access controls by exploiting the order in which plugins are executed.'}, {'type': 'paragraph', 'content': 'For example, an ACL might block access to domains matching *.admin.svc.cluster.local, but a rewrite rule maps a public name (e.g., public-name) to admin.svc.cluster.local. Because the ACL check happens before the rewrite, an unprivileged pod querying public-name is allowed by the ACL, but after rewriting, the request exposes the internal admin service IP, leading to unauthorized access.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass DNS-based access controls, leading to unauthorized service discovery and reconnaissance of restricted internal infrastructure.

In multi-tenant Kubernetes clusters, this means an attacker could access internal services that should be protected by ACLs, potentially exposing sensitive internal network information.

The CVSS v3.1 base score of 7.7 indicates a high severity with a high confidentiality impact, meaning sensitive information could be disclosed without affecting integrity or availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by examining the CoreDNS plugin configuration to check the execution order of plugins. Specifically, if the 'acl' plugin is evaluated before the 'rewrite' plugin, the system is vulnerable to the TOCTOU flaw described."}, {'type': 'paragraph', 'content': 'To detect this on your system, review the CoreDNS configuration file (usually Corefile) for the order of plugins. For example, you can use commands like:'}, {'type': 'list_item', 'content': "cat /etc/coredns/Corefile | grep -E 'rewrite|acl' -A 5 -B 5"}, {'type': 'list_item', 'content': "grep -n 'rewrite' /etc/coredns/Corefile"}, {'type': 'list_item', 'content': "grep -n 'acl' /etc/coredns/Corefile"}, {'type': 'paragraph', 'content': "If the line number of 'acl' is before 'rewrite', the plugin order is vulnerable. Additionally, monitoring DNS queries for unexpected domain rewrites or unauthorized access to internal domains can indicate exploitation attempts."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade CoreDNS to version 1.14.2 or later, where this vulnerability has been patched by reordering the 'rewrite' plugin to execute before the 'acl' plugin."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, a workaround is to manually reorder the plugin configuration in the CoreDNS Corefile so that the 'rewrite' and other normalization plugins run before the 'acl', 'opa', and 'firewall' plugins. This ensures that access control checks occur after name normalization, preventing ACL bypass."}] [1, 2]

Useful 0 Not Useful 0