Description
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
Published: 2026-03-31
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

When DNSdist’s internal web admin interface is active, a misconfigured Cross-Origin Resource Sharing policy allows a malicious webpage to read configuration data that is normally protected by the dashboard API. An attacker can exploit this by luring an administrator who is logged in to the dashboard into visiting a crafted site, thereby leaking sensitive configuration information. The weakness is identified as a CORS policy flaw (CWE‑942), resulting in unintended data disclosure.

Affected Systems

The vulnerability targets PowerDNS DNSdist. No explicit version range is provided in the advisory, so any build that includes the internal webserver and the default CORS policy may be affected. Administrators should check whether the webserver is running and whether the dashboard is exposed to external access.

Risk and Exploitability

The CVSS score of 3.1 indicates a low severity data‑exposure risk. An EPSS value below 1 % suggests that the probability of exploitation is very low, and the flaw does not appear in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector involves an authenticated administrator who visits a malicious webpage; this component of the attack is inferred, not directly documented in the advisory. While the impact is limited to data disclosure, appropriate mitigations remain advisable.

Generated by OpenCVE AI on April 14, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Confirm that the internal webserver is disabled unless required
  • If the webserver must remain enabled, restrict the CORS policy to allow only trusted origins
  • Apply the latest DNSdist release when one becomes available
  • Monitor dashboard access logs for unexpected cross‑origin requests

Generated by OpenCVE AI on April 14, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-942
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
Title Information disclosure via CORS misconfiguration
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:20:22.473Z

Reserved: 2025-11-28T09:18:06.484Z

Link: CVE-2026-0397

cve-icon Vulnrichment

Updated: 2026-03-31T13:20:17.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T12:16:27.340

Modified: 2026-04-14T16:27:53.770

Link: CVE-2026-0397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses