CVE-2026-33489
Incorrect ACL Zone Selection in CoreDNS Transfer Plugin Allows Unauthorized Zone Transfers
Publication date: 2026-05-05
Last updated on: 2026-05-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | to 1.14.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote clients to perform zone transfers (AXFR/IXFR) on subzones that should be restricted, exposing full zone contents. Such unauthorized data exposure can lead to confidentiality breaches.
Exposure of DNS zone data may result in the leakage of sensitive information, which could impact compliance with data protection regulations such as GDPR and HIPAA that require protection of confidential information and prevention of unauthorized access.
Therefore, organizations using vulnerable versions of CoreDNS may face increased risk of non-compliance with these standards due to potential unauthorized disclosure of DNS zone data.
Can you explain this vulnerability to me?
This vulnerability exists in CoreDNS versions prior to 1.14.3 within the transfer plugin. The issue is that the function responsible for selecting the appropriate Access Control List (ACL) stanza for DNS zone transfers uses a lexicographic string comparison instead of correctly matching the longest suffix. As a result, a permissive parent zone transfer rule can override a more restrictive subzone rule depending on the alphabetical order of zone names.
This flaw allows an unauthorized remote client to perform AXFR/IXFR zone transfers for subzones that should be restricted, thereby exposing the full contents of those subzones.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of DNS zone data. Specifically, an attacker can bypass restrictive subzone transfer rules by exploiting the incorrect zone matching logic, allowing them to retrieve the full zone contents of subzones that should be protected.
This unauthorized access can compromise the confidentiality of DNS data, potentially exposing sensitive information about network infrastructure and domain configurations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized AXFR/IXFR zone transfers due to incorrect ACL stanza selection in CoreDNS versions prior to 1.14.3. To detect exploitation attempts on your network or system, you can monitor DNS traffic for unexpected or unauthorized AXFR/IXFR requests, especially for subzones that should be restricted.
Commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter DNS zone transfer requests:
- tcpdump -i <interface> port 53 and '(udp or tcp)' and '((tcp[2:2] = 252) or (udp[10] = 252))'
- This command filters DNS traffic on port 53 and looks for AXFR (zone transfer) requests, which use opcode 252.
Additionally, reviewing CoreDNS logs for zone transfer requests and verifying if any unauthorized clients are performing AXFR/IXFR on subzones can help detect this vulnerability being exploited.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, review and tighten your DNS transfer ACLs to ensure that permissive parent zone transfer rules do not override restrictive subzone rules.
Monitoring and restricting access to DNS zone transfers to trusted clients only can also reduce the risk of unauthorized data exposure.