Description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Published: 2026-03-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise through exposure of sensitive configuration data in client logs
Action: Immediate Patch
AI Analysis

Impact

In ZooKeeper 3.8.5 and 3.9.4 the configuration reader transparently writes client configuration values to log files at INFO level. When a client starts, the configuration file is parsed and the values, which may include passwords or other secrets, are logged without masking. The resulting logs contain sensitive information that can be read by any party with access to the log files, thereby leaking credentials and other confidential data. This flaw represents a straightforward confidentiality breach arising from improper logging practice.

Affected Systems

All platforms running Apache ZooKeeper version 3.8.5 or 3.9.4 are affected. The vulnerability is present in the generic ZooKeeper client, so any installation that includes the client component and writes logs will be impacted. Affected versions are 3.8.5 and 3.9.4; the fix is available in 3.8.6 and 3.9.5.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. EPSS indicates an exploitation likelihood of less than 1%, suggesting a low probability of public exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. The exploitation vector is likely local or involves an attacker who can influence client configuration or has access to the log files, because the sensitive data is only written to logs during normal client startup and logging is performed at INFO level.

Generated by OpenCVE AI on April 17, 2026 at 12:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ZooKeeper to version 3.8.6 or 3.9.5 which removes logging of sensitive configuration values, addressing the improper logging of confidential information (CWE‑117).
  • Reconfigure the logging framework to suppress or mask configuration values during logging, thereby preventing leakage of secrets and mitigating the excessive logging issue (CWE‑532).
  • Set strict file system permissions on ZooKeeper log files so that only privileged users can read them, reducing the risk that leaked sensitive data can be accessed by unauthorized parties.

Generated by OpenCVE AI on April 17, 2026 at 12:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-crhr-qqj8-rpxc Apache ZooKeeper has improper handling of configuration values
History

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 10 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-117
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache zookeeper
Vendors & Products Apache
Apache zookeeper

Sat, 07 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
References

Sat, 07 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
Title Apache ZooKeeper: Sensitive information disclosure in client configuration handling
Weaknesses CWE-532
References

Subscriptions

Apache Zookeeper
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-10T17:36:03.931Z

Reserved: 2026-01-21T21:37:46.975Z

Link: CVE-2026-24308

cve-icon Vulnrichment

Updated: 2026-03-07T17:05:11.646Z

cve-icon NVD

Status : Modified

Published: 2026-03-07T09:16:07.660

Modified: 2026-03-10T18:18:27.790

Link: CVE-2026-24308

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-07T08:51:17Z

Links: CVE-2026-24308 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses