Description
Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Potential Internal Data Disclosure
Action: Assess Impact
AI Analysis

Impact

The flaw is an LDAP Distinguished Name injection caused by incomplete escaping of LDAP queries when the server is configured with 8bit-dns enabled. An attacker can craft DNS requests that manipulate the LDAP query string and retrieve information from internal domain subtrees that would normally be inaccessible. The result is unintended disclosure of directory data, compromising confidentiality. This weakness is classified as CWE‑90.

Affected Systems

PowerDNS Authoritative software is affected. The CVE statement does not list precise version numbers, so any installation of PowerDNS Authoritative with 8bit‑dns enabled is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no EPSS score is currently available. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Exploitation requires the target to be reachable and running with 8bit‑dns enabled; an attacker can send crafted DNS queries over the network to trigger the injection and read internal LDAP data.

Generated by OpenCVE AI on April 22, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the 8bit‑dns feature if it is not required for your deployment.
  • Check the PowerDNS vendor site for patch releases or newer versions that fix the escaping issue and apply the update.
  • Monitor LDAP query logs and network traffic for abnormal directory access patterns, and apply network segmentation to limit exposure of the LDAP service.

Generated by OpenCVE AI on April 22, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-90
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.
Title LDAP DN injection
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:27:42.585Z

Reserved: 2026-03-23T12:58:38.267Z

Link: CVE-2026-33609

cve-icon Vulnrichment

Updated: 2026-04-22T14:26:50.796Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:54.770

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:00:07Z

Weaknesses