Description
An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.
Published: 2026-04-22
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via backend configuration corruption
Action: Immediate Patch
AI Analysis

Impact

A recent PowerDNS vulnerability allows an attacker to craft a notify message that adds a secondary domain to the bind backend. The backend's configuration is then overwritten with an invalid value, causing the service to fail on the next restart. The impact is a denial of service, as the authoritative server cannot start without manual intervention. The weakness is related to unsanitized domain names being inserted into configuration files (CWE‑94).

Affected Systems

PowerDNS Authoritative DNS servers that use a bind backend are affected. The advisory lists the product as PowerDNS:Authoritative with unspecified impacted versions; any installation that processes notify requests without proper validation is vulnerable.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity. The exploit requires the attacker to send a crafted notify request to a vulnerable PowerDNS instance; the attack vector is remote network access to the DNS server. There is no known public exploit at this time, and the vulnerability is not listed in the CISA KEV catalog. However, once exploited it can bring the authoritative service down until a manual reset or patch is applied.

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade PowerDNS to the latest release as outlined in the PowerDNS advisory.
  • If upgrading is not immediately possible, disable or restrict the DNS NOTIFY protocol to trusted IP addresses to mitigate the risk of malicious notify messages.
  • Review and correct the bind backend configuration to ensure it contains valid values before restarting the service, and consider implementing automated checks or monitoring to detect configuration corruption events.

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6233-1 pdns security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.
Title Incomplete domain name sanitization during
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:28:15.172Z

Reserved: 2026-03-23T12:58:38.267Z

Link: CVE-2026-33608

cve-icon Vulnrichment

Updated: 2026-04-22T14:27:55.851Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:54.650

Modified: 2026-04-24T18:52:44.260

Link: CVE-2026-33608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses