CVE-2026-33190 - Vulnerability Details

- CoreDNS TSIG authentication bypass on encrypted DNS transports

Description

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.

Published: 2026-05-05

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

CoreDNS versions prior to 1.14.3 allow an unauthenticated remote client to bypass TSIG authentication over encrypted DNS transports such as DoT, DoH, DoH3, DoQ, and gRPC because the TSIG verification step is delegated to the transport writer’s TsigStatus function, which in these transports either returns nil or does not set a secret. This flaw, classified as CWE-303, permits the attacker to gain access to services that are protected by a tsig require all policy, thereby compromising the confidentiality and integrity of DNS data that were otherwise restricted.

Affected Systems

The vulnerability affects the CoreDNS project, with all releases earlier than 1.14.3. Encrypted transports including DNS over TLS, HTTPS, HTTP/3, QUIC, and gRPC are impacted, while plain DNS over TCP and UDP remain unaffected.

Risk and Exploitability

The CVSS score of 8.7 reflects a high risk of exploitation. Although an EPSS score is not currently published, the flaw can be exploited remotely without authentication by simply invoking any of the vulnerable encrypted transports. The issue was mitigated in version 1.14.3, which corrects the TSIG verification logic. Until updated, exposed systems are at significant risk of unauthorized data retrieval or modification.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

coredns

affected

Version	Status	Constraints
`< 1.14.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade CoreDNS to version 1.14.3 or later to apply the vendor fix.
If immediate upgrade is not possible, reconfigure the DNS server to disable encrypted transports or enforce TSIG checks only on plain DNS connections.
Verify that any custom TSIG policies remain enforced on the remaining non-encrypted transports to maintain baseline security.

Generated by OpenCVE AI on May 5, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-qhmp-q7xh-99rh	CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/coredns/coredns/releases/tag/v1.14.3
https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh

History

Tue, 05 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.
Title		CoreDNS TSIG authentication bypass on encrypted DNS transports
Weaknesses		CWE-303
References		https://github.com/coredns/coredns/releases/tag/v1.14.3 https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-05T19:02:55.374Z

Updated: 2026-05-05T19:02:55.374Z

Reserved: 2026-03-17T22:16:36.721Z

Link: CVE-2026-33190

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T20:16:36.167

Modified: 2026-05-05T20:16:36.167

Link: CVE-2026-33190

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses

CWE-303

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object