CVE-2026-12490
Received Received - Intake
Remote XFR Authentication Bypass in PowerDNS Authoritative

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: NLnet Labs

Description
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-12490
EUVD
EUVD-2026-39185
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nlnetlabs nsd to 4.14.2 (inc)
nlnetlabs nsd 4.14.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the NSD software's handling of secondary servers requesting zone transfers over TLS or TCP. When a provide-xfr rule includes a tls-auth-name, the secondary server is supposed to provide a client certificate with that name to authenticate the transfer.

However, the vulnerability arises because if the transfer request comes over TLS on the regular tls-port (not the tls-auth-port) or over TCP on the regular port, no client certificate is required even if the tls-auth-name is specified. This bypasses the intended client certificate verification.

This means an attacker who meets other access control conditions can bypass the client certificate requirement and potentially perform unauthorized zone transfers.

Impact Analysis

This vulnerability can allow an attacker to bypass client certificate authentication when requesting zone transfers from an NSD server.

As a result, unauthorized parties could obtain DNS zone data that should be protected, potentially exposing sensitive network information.

This could lead to further attacks such as DNS spoofing, reconnaissance, or other security breaches based on the leaked zone information.

Detection Guidance

This vulnerability involves secondary servers transferring zones without providing the required client certificate when using certain ports and protocols. Detection would involve monitoring zone transfer requests to identify transfers occurring over TLS on the regular tls-port or over TCP on the regular port without client certificate authentication.

Specifically, you should look for zone transfer requests that match the "provide-xfr" rule conditions but do not present a client certificate, especially if the transfer is over TLS on the regular tls-port or over TCP on the regular port.

While no explicit commands are provided in the resources, network monitoring tools or packet capture utilities (such as tcpdump or Wireshark) can be used to capture and analyze DNS zone transfer traffic on the relevant ports to check for the presence or absence of client certificates during TLS handshakes.

Mitigation Strategies

To mitigate this vulnerability, the recommended immediate step is to upgrade to NSD version 4.14.3, which includes the fix for this issue.

If upgrading is not immediately possible, a manual patch is available for NSD 4.14.2. This patch can be applied to the NSD source directory using the provided diff file, followed by running 'make install' to install the updated version.

Additionally, configuring the "tls-auth-xfr-only" option explicitly to "yes" can help enforce client certificate authentication for transfers, reducing the risk of bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart