CVE-2026-12490
Analyzed Analyzed - Analysis Complete

Remote XFR Authentication Bypass in PowerDNS Authoritative

Vulnerability report for CVE-2026-12490, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: NLnet Labs

Description

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs nsd to 4.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the NSD software's handling of secondary servers requesting zone transfers over TLS or TCP. When a provide-xfr rule includes a tls-auth-name, the secondary server is supposed to provide a client certificate with that name to authenticate the transfer.

However, the vulnerability arises because if the transfer request comes over TLS on the regular tls-port (not the tls-auth-port) or over TCP on the regular port, no client certificate is required even if the tls-auth-name is specified. This bypasses the intended client certificate verification.

This means an attacker who meets other access control conditions can bypass the client certificate requirement and potentially perform unauthorized zone transfers.

Impact Analysis

This vulnerability can allow an attacker to bypass client certificate authentication when requesting zone transfers from an NSD server.

As a result, unauthorized parties could obtain DNS zone data that should be protected, potentially exposing sensitive network information.

This could lead to further attacks such as DNS spoofing, reconnaissance, or other security breaches based on the leaked zone information.

Detection Guidance

This vulnerability involves secondary servers transferring zones without providing the required client certificate when using certain ports and protocols. Detection would involve monitoring zone transfer requests to identify transfers occurring over TLS on the regular tls-port or over TCP on the regular port without client certificate authentication.

Specifically, you should look for zone transfer requests that match the "provide-xfr" rule conditions but do not present a client certificate, especially if the transfer is over TLS on the regular tls-port or over TCP on the regular port.

While no explicit commands are provided in the resources, network monitoring tools or packet capture utilities (such as tcpdump or Wireshark) can be used to capture and analyze DNS zone transfer traffic on the relevant ports to check for the presence or absence of client certificates during TLS handshakes.

Mitigation Strategies

To mitigate this vulnerability, the recommended immediate step is to upgrade to NSD version 4.14.3, which includes the fix for this issue.

If upgrading is not immediately possible, a manual patch is available for NSD 4.14.2. This patch can be applied to the NSD source directory using the provided diff file, followed by running 'make install' to install the updated version.

Additionally, configuring the "tls-auth-xfr-only" option explicitly to "yes" can help enforce client certificate authentication for transfers, reducing the risk of bypass.

Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart