CVE-2026-26017
TOCTOU Vulnerability in CoreDNS Plugins Allows DNS Access Bypass
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns.io | coredns | to 1.14.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26017 is a high-severity logical vulnerability in CoreDNS versions prior to 1.14.2 that allows DNS access control lists (ACLs) to be bypassed due to the default execution order of plugins.'}, {'type': 'paragraph', 'content': 'Specifically, security plugins like "acl" are evaluated before the "rewrite" plugin, creating a Time-of-Check to Time-of-Use (TOCTOU) flaw. This means that the ACL check happens before the DNS request is rewritten, allowing an attacker to bypass access controls by exploiting the order in which plugins are executed.'}, {'type': 'paragraph', 'content': 'For example, an ACL might block access to domains matching *.admin.svc.cluster.local, but a rewrite rule maps a public name (e.g., public-name) to admin.svc.cluster.local. Because the ACL check happens before the rewrite, an unprivileged pod querying public-name is allowed by the ACL, but after rewriting, the request exposes the internal admin service IP, leading to unauthorized access.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to bypass DNS-based access controls, leading to unauthorized service discovery and reconnaissance of restricted internal infrastructure.
In multi-tenant Kubernetes clusters, this means an attacker could access internal services that should be protected by ACLs, potentially exposing sensitive internal network information.
The CVSS v3.1 base score of 7.7 indicates a high severity with a high confidentiality impact, meaning sensitive information could be disclosed without affecting integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by examining the CoreDNS plugin configuration to check the execution order of plugins. Specifically, if the 'acl' plugin is evaluated before the 'rewrite' plugin, the system is vulnerable to the TOCTOU flaw described."}, {'type': 'paragraph', 'content': 'To detect this on your system, review the CoreDNS configuration file (usually Corefile) for the order of plugins. For example, you can use commands like:'}, {'type': 'list_item', 'content': "cat /etc/coredns/Corefile | grep -E 'rewrite|acl' -A 5 -B 5"}, {'type': 'list_item', 'content': "grep -n 'rewrite' /etc/coredns/Corefile"}, {'type': 'list_item', 'content': "grep -n 'acl' /etc/coredns/Corefile"}, {'type': 'paragraph', 'content': "If the line number of 'acl' is before 'rewrite', the plugin order is vulnerable. Additionally, monitoring DNS queries for unexpected domain rewrites or unauthorized access to internal domains can indicate exploitation attempts."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation step is to upgrade CoreDNS to version 1.14.2 or later, where this vulnerability has been patched by reordering the 'rewrite' plugin to execute before the 'acl' plugin."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, a workaround is to manually reorder the plugin configuration in the CoreDNS Corefile so that the 'rewrite' and other normalization plugins run before the 'acl', 'opa', and 'firewall' plugins. This ensures that access control checks occur after name normalization, preventing ACL bypass."}] [1, 2]