CVE-2026-33489
Analyzed Analyzed - Analysis Complete
Incorrect ACL Zone Selection in CoreDNS Transfer Plugin Allows Unauthorized Zone Transfers

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33489
EUVD
EUVD-2026-27450
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
coredns.io coredns to 1.14.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized remote clients to perform zone transfers (AXFR/IXFR) on subzones that should be restricted, exposing full zone contents. Such unauthorized data exposure can lead to confidentiality breaches.

Exposure of DNS zone data may result in the leakage of sensitive information, which could impact compliance with data protection regulations such as GDPR and HIPAA that require protection of confidential information and prevention of unauthorized access.

Therefore, organizations using vulnerable versions of CoreDNS may face increased risk of non-compliance with these standards due to potential unauthorized disclosure of DNS zone data.

Executive Summary

This vulnerability exists in CoreDNS versions prior to 1.14.3 within the transfer plugin. The issue is that the function responsible for selecting the appropriate Access Control List (ACL) stanza for DNS zone transfers uses a lexicographic string comparison instead of correctly matching the longest suffix. As a result, a permissive parent zone transfer rule can override a more restrictive subzone rule depending on the alphabetical order of zone names.

This flaw allows an unauthorized remote client to perform AXFR/IXFR zone transfers for subzones that should be restricted, thereby exposing the full contents of those subzones.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of DNS zone data. Specifically, an attacker can bypass restrictive subzone transfer rules by exploiting the incorrect zone matching logic, allowing them to retrieve the full zone contents of subzones that should be protected.

This unauthorized access can compromise the confidentiality of DNS data, potentially exposing sensitive information about network infrastructure and domain configurations.

Detection Guidance

This vulnerability involves unauthorized AXFR/IXFR zone transfers due to incorrect ACL stanza selection in CoreDNS versions prior to 1.14.3. To detect exploitation attempts on your network or system, you can monitor DNS traffic for unexpected or unauthorized AXFR/IXFR requests, especially for subzones that should be restricted.

Commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter DNS zone transfer requests:

  • tcpdump -i <interface> port 53 and '(udp or tcp)' and '((tcp[2:2] = 252) or (udp[10] = 252))'
  • This command filters DNS traffic on port 53 and looks for AXFR (zone transfer) requests, which use opcode 252.

Additionally, reviewing CoreDNS logs for zone transfer requests and verifying if any unauthorized clients are performing AXFR/IXFR on subzones can help detect this vulnerability being exploited.

Mitigation Strategies

The primary mitigation step is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, review and tighten your DNS transfer ACLs to ensure that permissive parent zone transfer rules do not override restrictive subzone rules.

Monitoring and restricting access to DNS zone transfers to trusted clients only can also reduce the risk of unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart