CVE-2026-35579
TSIG Authentication Bypass in CoreDNS
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coredns | coredns | to 1.14.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to bypass TSIG authentication and access sensitive DNS server functionality such as zone transfers and dynamic DNS updates. Such unauthorized access could lead to data exposure or manipulation, potentially impacting the confidentiality and integrity of DNS data.
Because of the potential for unauthorized data access and modification, this vulnerability could negatively affect compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring proper authentication and access controls.
Mitigations such as disabling affected transports or restricting network access are recommended to reduce risk until the vulnerability is fixed in CoreDNS version 1.14.3.
Can you explain this vulnerability to me?
This vulnerability affects CoreDNS versions prior to 1.14.3 in the way they handle TSIG authentication for gRPC, QUIC, DoH, and DoH3 transport implementations.
For gRPC and QUIC, the server checks if the TSIG key name exists in the configuration but does not actually verify the HMAC using dns.TsigVerify(). As a result, if the key name matches a configured key, the request is treated as successfully authenticated regardless of the MAC value.
For DoH and DoH3, the problem is more severe because the server never inspects the TSIG record at all and treats any request containing a TSIG record as authenticated, even if the key name is invalid and the MAC is arbitrary.
An unauthenticated network attacker can exploit this to bypass TSIG-protected functions such as zone transfers (AXFR/IXFR), dynamic DNS updates, or other TSIG-gated plugin behavior.
The issue was fixed in CoreDNS version 1.14.3. Workarounds include disabling the affected listeners or restricting network access to trusted sources.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to bypass TSIG authentication protections in CoreDNS.
As a result, the attacker could perform unauthorized actions such as zone transfers (AXFR/IXFR), dynamic DNS updates, or other operations that are normally protected by TSIG.
This could lead to unauthorized disclosure of DNS zone data, unauthorized changes to DNS records, or disruption of DNS services.
The DoH and DoH3 transports are especially vulnerable because the attacker does not even need to know a valid TSIG key name to exploit the issue.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required.
Alternatively, restrict network-level access to the affected transport ports to trusted sources only.
Upgrading CoreDNS to version 1.14.3 or later will fix the issue.