Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.
Published: 2026-05-05
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The transfer plugin in CoreDNS versions before 1.14.3 selects the ACL stanza for zone transfers using a lexicographic comparison instead of an actual longest-suffix match. When a parent zone and a more specific subzone are both configured, a permissive ACL defined for the parent may incorrectly win over a restrictive ACL for the subzone. This misselection allows an unauthenticated remote client to request full zone transfers (AXFR or IXFR) for the subzone and retrieve its complete contents, leading to information disclosure. The flaw is a privilege confusion weakness reflected in CWE‑863.

Affected Systems

CoreDNS deployments of any vendor that inadvertently rely on the default transfer plugin configuration, specifically all releases prior to 1.14.3, where both a parent zone and a more specific subzone are configured for transfer. The vulnerability applies to the CoreDNS product named CoreDNS, with affected versions listed as any version older than 1.14.3.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity vulnerability that provides remote data disclosure without authentication. EPSS data is not available, and the flaw is not yet listed in CISA’s KEV catalog. The likely attack vector is over the open DNS protocol, requiring an unauthenticated client to perform an AXFR or IXFR request against the vulnerable server. The exploit conditions are minimal: the server must expose zone transfer for the subzone and have the misordered ACL configuration, making the vulnerability readily exploitable in practice.

Generated by OpenCVE AI on May 5, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply CoreDNS version 1.14.3 or later to ensure the transfer plugin uses correct longest-suffix matching.
  • Verify that zone transfer ACLs are correctly configured so that subzone rules are more restrictive than parent zone rules.
  • Restrict DNS zone transfer to trusted IP addresses or disable transfer for vulnerable subzones if immediate patching is not possible.

Generated by OpenCVE AI on May 5, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h8mm-c463-wjq3 CoreDNS' transfer stanza selection uses lexicographic compare (subzone ACL bypass)
History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.
Title CoreDNS transfer plugin subzone ACL bypass via lexicographic zone comparison
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:43:06.361Z

Reserved: 2026-03-20T16:16:48.971Z

Link: CVE-2026-33489

cve-icon Vulnrichment

Updated: 2026-05-05T19:42:42.960Z

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:36.627

Modified: 2026-05-05T20:16:36.627

Link: CVE-2026-33489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:30:31Z

Weaknesses