Description
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Disable Web Server
AI Analysis

Impact

The vulnerability originates from insufficient input validation in PowerDNS’s internal web server, which allows an adversary to craft an HTTP request that triggers unbounded memory allocation. The resulting memory exhaustion causes the process to crash or become unresponsive, leading to a Denial‑of‑Service condition for the DNS service. The flaw is a classic input‑validation weakness that permits resource exhaustion.

Affected Systems

The flaw is present in PowerDNS Authoritative, DNSdist, and Recursor products. No specific versions are listed in the CNA data, so all publicly available releases that contain the internal web server component may be affected. Because the internal server is disabled by default, the issue only surfaces in installations that explicitly enable it.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate severity. EPSS indicates the exploit probability is very low (<1%), and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been observed yet. The attack vector is remote via the internal web server; however, since the server is typically bound to localhost, attackers would need network access to the host or a misconfiguration that exposes the endpoint. In the absence of a public exploit, the risk is limited to environments where the internal server is enabled and reachable from untrusted networks.

Generated by OpenCVE AI on April 27, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the internal web server if it is not required for your deployment.
  • If the internal web server must remain enabled, configure it to listen only on the localhost interface and restrict access to trusted hosts.
  • Update all PowerDNS components to the latest available release that contains the fix, following the vendor’s release notes or advisories.

Generated by OpenCVE AI on April 27, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*
cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*
cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
cpe:2.3:a:powerdns:recursor:5.4.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Powerdns dnsdist
Powerdns recursor
Vendors & Products Powerdns
Powerdns authoritative
Powerdns dnsdist
Powerdns recursor

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Title Insufficient input validation of internal webserver
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Authoritative Dnsdist Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:10:30.709Z

Reserved: 2026-03-18T10:06:16.572Z

Link: CVE-2026-33257

cve-icon Vulnrichment

Updated: 2026-04-22T18:03:44.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T10:16:51.313

Modified: 2026-04-27T17:03:56.720

Link: CVE-2026-33257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:12Z

Weaknesses