Apache ZooKeeper Vulnerability Allow Attackers to Access Sensitive Data

Apache ZooKeeper Vulnerability: Two "Important" severity vulnerabilities have been found in Apache ZooKeeper, a popular service for naming and configuration management in distributed applications. As a result, timely security updates are essential. Attackers may be able to obtain private configuration information or get around hostname verification to pose as reliable servers thanks to these recently found vulnerabilities.

ZooKeeper versions 3.8.x and 3.9.x branches are both vulnerable. Vulnerability in Apache ZooKeeper Sensitive information is disclosed in the first vulnerability, which is tracked as CVE-2026-24308. found by a researcher Youlong Chen, the ZKConfig component's incorrect handling of configuration values is the cause of this defect. Sensitive configuration information is inadvertently printed to the client's log file at the default INFO logging level when a client connects.

This implies that sensitive production data could be stealthily taken without setting off alarms by any unauthorized user or attacker who has access to the system's log files. The second problem is a hostname verification bypass that was found by Nikita Markevich and is tracked as CVE-2026-24281 (and internally as ZOOKEEPER-4986). The ZKTrustManager component automatically switches to a reverse DNS (PTR) lookup if IP Subject Alternative Name (SAN) validation is unsuccessful.

An attacker can impersonate legitimate ZooKeeper servers or clients by controlling or spoofing PTR records. A successful attack totally destroys the system's trust model, even though the attacker still needs to present a certificate that ZKTrustManager trusts, making this more difficult to exploit.

Apache strongly advises administrators to update their ZooKeeper installations to the patched versions right away in order to safeguard infrastructure against these threats. Apache ZooKeeper versions 3.8.6 and 3.9 contain the official fixes.Fifth. The logging exposure vulnerability is fixed by applying these updates, guaranteeing that ZKConfig will no longer leak private information into local files.

Additionally, by adding a new configuration option that disables reverse DNS lookups for both the client and quorum protocols, the updates resolve the hostname bypass problem. Security teams should actively examine their logging environments in addition to patching to make sure that no historically sensitive data is still exposed in older, archived log files. For daily cybersecurity updates, check LinkedIn and X. To have your stories featured, get in touch with us.