CVE-2026-24029 - Vulnerability Details

Description

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Published: 2026-03-31

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability permits a DNS over HTTPS (DoH) client to bypass the configured ACL restrictions when the early_acl_drop option is disabled. This condition causes the ACL check to be skipped, allowing any IP address to send DoH queries to the DNSdist server. As a result, unauthorized clients can consume DNS services, potentially leading to service overutilization, traffic snooping, or covert DNS tunneling. The weakness corresponds to CWE-863, reflecting an improper restriction on the use of a resource.

Affected Systems

The flaw affects PowerDNS DNSdist deployments that expose a DoH frontend via the nghttp2 provider. Any configuration that turns off the early_acl_drop flag—whether through the default setting change or intentional modification—makes the server vulnerable. No particular software versions are listed, so any release that allows toggling this flag is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS value of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, further indicating low known exploitation. Exploitation requires remote access to the DNSdist configuration or the presence of an enabled DoH interface that utilizes the nghttp2 provider while the early_acl_drop option is turned off. An attacker can then send DNS queries over HTTPS from any origin, bypassing ACL controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PowerDNS

DNSdist

unaffected

Version	Status	Constraints
`1.9.0`	affected	< 1.9.12
`2.0.0`	affected	< 2.0.3

Configuration 1 [-]

OR	cpe:2.3:a:powerdns:dnsdist::::::::
	cpe:2.3:a:powerdns:dnsdist::::::::

No data.

Vendor Product Confidence Versions

Powerdns

Dnsdist

100%

Version	Status	Scheme	Platform
`[1.9.0,1.9.12)`	affected	semver	—
`[2.0.0,2.0.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Review the PowerDNS DNSdist security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the recommended fix.
Ensure the early_acl_drop setting is enabled; the default is enabled, so verify that it remains so in the configuration file or through the control interface.
If you need to modify ACL rules, maintain early_acl_drop enabled and use the standard ACL mechanisms to restrict traffic.
Apply the latest DNSdist release available from the vendor, as newer versions may contain additional mitigations or runtime validations.
If you must temporarily disable early_acl_drop, limit network access to the DNSdist instance using firewall rules or network segmentation to restrict denied clients.

Generated by OpenCVE AI on April 14, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00003.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:powerdns:dnsdist::::::::

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Powerdns Powerdns dnsdist
Vendors & Products		Powerdns Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-863
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
Title		DNS over HTTPS ACL bypass
References		https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Powerdns Dnsdist

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2026-03-31T11:59:12.903Z

Updated: 2026-03-31T13:15:37.448Z

Reserved: 2026-01-20T14:56:25.872Z

Link: CVE-2026-24029

Vulnrichment

Updated: 2026-03-31T13:15:30.408Z

NVD

Status : Analyzed

Published: 2026-03-31T12:16:27.633

Modified: 2026-04-14T16:24:27.147

Link: CVE-2026-24029

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object