Description
CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.
Published: 2026-03-06
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Access control bypass in DNS queries
Action: Immediate patch
AI Analysis

Impact

CoreDNS implements a chain of plugins to process DNS queries. A logical flaw in the default plugin execution order allows the acl plugin to be evaluated before the rewrite plugin. This Time‑of‑Check Time‑of‑Use weakness (CWE‑367) lets an attacker send queries that bypass DNS access controls, potentially exposing zone information or subverting name resolution.

Affected Systems

Earlier releases of CoreDNS from coredns.io, up through version 1.14.1 and earlier, are vulnerable. The issue is fixed in version 1.14.2 and later. Systems running a CoreDNS instance without that patch are susceptible to the ACL bypass.

Risk and Exploitability

With a CVSS score of 7.7, the flaw poses a high risk. The EPSS score of less than 1 % indicates a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to send DNS queries over the network, but no vulnerability exploits rely on malicious code or elevated privileges; the exploit path is relatively straightforward if the vulnerable plugin order is present.

Generated by OpenCVE AI on April 16, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreDNS to version 1.14.2 or newer.
  • If an upgrade cannot be performed immediately, reconfigure the plugin chain so that the acl plugin runs after the rewrite plugin, ensuring ACL checks occur after any address translation.
  • Validate that ACL controls work by performing test queries that should be denied before upgrading or reconfiguring.

Generated by OpenCVE AI on April 16, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c9v3-4pv7-87pr CoreDNS ACL Bypass
History

Mon, 09 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coredns.io:coredns:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Coredns.io
Coredns.io coredns
Vendors & Products Coredns.io
Coredns.io coredns

Sat, 07 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.
Title CoreDNS ACL Bypass
Weaknesses CWE-367
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Coredns.io Coredns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:06:41.093Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26017

cve-icon Vulnrichment

Updated: 2026-03-06T16:06:35.183Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T16:16:10.397

Modified: 2026-03-09T20:31:14.997

Link: CVE-2026-26017

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-06T15:36:15Z

Links: CVE-2026-26017 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:30:15Z

Weaknesses