Two high-impact vulnerabilities that could result in the exposure of sensitive data and possible server impersonation attacks have been addressed by critical security patches for Apache ZooKeeper, a popular centralized service for maintaining configuration data and synchronization in distributed systems. Because both vulnerabilities could have an impact on enterprise-scale production environments, the Apache Software Foundation (ASF) rated them as "Important." Errors in Configuration and Hostname Verification The first problem, identified as CVE-2026-24308, is the unintentional disclosure of private data due to incorrect logging in the ZKConfig component.

Configuration values, such as environment settings and credentials, were being stored in plain text at the INFO log level due to insufficient log sanitization.

Since production deployments usually have INFO-level logging enabled by default, any user or attacker who manages to access these logs may be able to view sensitive configuration information. ASF claims that this vulnerability may have an impact on infrastructure privacy as well as operational security. Researcher in security Youlong Chen recognized this problem and appropriately reported it.

The ZKTrustManager's hostname verification is impacted by the second vulnerability, CVE-2026-24281. ZooKeeper uses a reverse DNS (PTR) lookup for hostname validation when standard IP-based Subject Alternative Name (SAN) checks are unsuccessful. This behavior could be used by attackers who are able to manipulate or spoof PTR records to pose as authentic ZooKeeper servers or clients.

Even though the attack necessitates the use of a digitally signed certificate that the ZKTrustManager trusts, it nevertheless presents a serious risk in environments with strict controls and trust boundaries. Nikita Markevich reported the flaw, which is internally tracked as ZOOKEEPER-4986 and affects the same release ranges as the initial problem. Apache ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4 were found to have two significant vulnerabilities.

The first, CVE-2026-24308, involves the disclosure of sensitive information in logs as a result of the ZKConfig component logging at the INFO level, which may reveal private configuration information. The second, CVE-2026-24281, makes it possible to circumvent hostname verification by using ZKTrustManager's reverse DNS fallback, which could lead to man-in-the-middle (MITM) attacks.

Both problems are deemed important and need to be mitigated right away to avoid data exposure or illegal access. Upgrading to ZooKeeper versions 3.8.6 or 3.9.5 right away is advised by ASF. In order to prevent credentials and configuration secrets from being revealed in plain text, these patched releases fix the logging function.

Additionally, they remove the PTR fallback mechanism that allowed possible hostname spoofing and add a new configuration option to completely disable reverse DNS lookups. Administrators should rotate any passwords or authentication keys discovered in the current ZooKeeper logs after auditing them for any exposed credentials.