Description
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
Published: 2026-03-31
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

PowerDNS DNSdist exposes a configuration detail through a misconfigured Cross‑Origin Resource Sharing policy on its internal webserver. When the internal webserver is enabled, an attacker can trick an authenticated administrator into visiting a malicious page and cause the dashboard to send requests that reveal the runtime configuration data. The vulnerability allows an attacker to obtain sensitive information from the DNSdist system without affecting integrity or availability.

Affected Systems

The affected product is PowerDNS DNSdist. The internal webserver is disabled by default but can be enabled by configuration. No specific version information is provided in the data, so any version that uses the internal webserver and contains the CORS defect could be impacted.

Risk and Exploitability

The CVSS score is 3.1, indicating low severity, and the EPSS score is less than 1 %, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack likely requires social engineering to get a logged‑in administrator to visit a malicious site; no remote code execution or privilege escalation is possible. The primary risk is the inadvertent disclosure of configuration data to an adversary.

Generated by OpenCVE AI on March 31, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult the PowerDNS advisory and upgrade to the latest DNSdist release or apply the vendor‑supplied patch if available
  • Configure the internal webserver’s CORS policy to allow only the dashboard’s own origin or remove permissive CORS headers
  • If the internal webserver is not required, disable it entirely to remove the attack surface
  • Provide training to administrators about the risks of clicking unknown links while logged in and implement monitoring for suspicious external navigation

Generated by OpenCVE AI on March 31, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-942
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
Title Information disclosure via CORS misconfiguration
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:20:22.473Z

Reserved: 2025-11-28T09:18:06.484Z

Link: CVE-2026-0397

cve-icon Vulnrichment

Updated: 2026-03-31T13:20:17.929Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T12:16:27.340

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-0397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:45Z

Weaknesses