Apache ZooKeeper Vulnerability Allows Attackers to Access Sensitive Data

Apache ZooKeeper, a widely used centralized service for maintaining configuration data and synchronization in distributed systems, has received critical security patches addressing two high-impact flaws that could lead to sensitive data exposure and potential server impersonation attacks.

The Apache Software Foundation (ASF) rated both vulnerabilities as “Important” due to their potential impact on enterprise-scale production environments.

Configuration

and Hostname Verification Flaws

The first issue, tracked as CVE-2026-24308, involves accidental sensitive information disclosure through improper logging behavior in the ZKConfig component.

Due to inadequate log sanitization, configuration values, including credentials and environment settings, were being stored at the INFO log level in plain text.

Because INFO-level logging is typically enabled by default in production deployments, any user or attacker who gains access to these logs could view confidential configuration data.

According to ASF, this flaw could affect both operational security and infrastructure privacy. Security researcher Youlong Chen identified and responsibly disclosed this issue.

The second flaw, CVE-2026-24281, affects hostname verification within the ZKTrustManager. When standard IP-based Subject Alternative Name (SAN) checks fail, ZooKeeper falls back to a reverse DNS (PTR) lookup for hostname validation.

Attackers capable of manipulating or spoofing PTR records could exploit this behavior to masquerade as legitimate ZooKeeper servers or clients.

While the attack requires the use of a digitally signed certificate trusted by the ZKTrustManager, it still poses a severe risk in tightly controlled environments where trust boundaries exist.

The flaw, reported by Nikita Markevich and tracked internally as ZOOKEEPER-4986, impacts the same release ranges as the first issue.

Two important vulnerabilities were identified in Apache ZooKeeper affecting versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4.

The first, CVE-2026-24308, involves sensitive information disclosure in logs due to the ZKConfig component logging at the INFO level, which could expose confidential configuration details.

The second, CVE-2026-24281, allows hostname verification bypass through the use of reverse DNS fallback in ZKTrustManager, potentially enabling man-in-the-middle (MITM) attacks.

Both issues are classified as Important and require prompt mitigation to prevent unauthorized access or data exposure.

ASF recommends upgrading to ZooKeeper versions 3.8.6 or 3.9.5 immediately. These patched releases correct the logging function to ensure credentials and configuration secrets are no longer exposed in plain text.

They also introduce a new configuration option to disable reverse DNS lookups entirely, removing the PTR fallback mechanism that enabled potential hostname spoofing.

Administrators should audit existing ZooKeeper logs for any exposed credentials and rotate passwords or authentication keys found in those files.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Apache ZooKeeper Vulnerability Allows Attackers to Access Sensitive Data appeared first on Cyber Security News.