Description
An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Database corruption leading to service disruption
Action: Apply Patch
AI Analysis

Impact

An operator who can invoke the REST API on PowerDNS Authoritative can trigger the creation of malformed HTTPS or SVCB records. The insufficient validation of these record types can cause the internal LMDB database to be corrupted, which destroys data integrity and potentially stops the DNS service from responding correctly. The flaw is a manifestation of CWE‑190, an integer over‑ or under‑flow built into the record parsing logic.

Affected Systems

The affected product is PowerDNS Authoritative. The advisory does not list specific vulnerable versions, so any instance that uses the REST API and employs the LMDB backend is considered susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploit activity. The likely attack vector requires an authenticated user with REST API privileges; operators or compromised accounts could invoke the vulnerable API endpoint to induce database corruption.

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch or upgrade to a version of PowerDNS Authoritative that contains the validation fix.
  • Restrict REST API access to trusted administrators and enforce strong authentication to prevent unintended use of the API.
  • If feasible, move the database away from the LMDB backend or implement regular integrity checks and backups to detect and recover from corruption.
  • Monitor PowerDNS logs for errors during HTTPS or SVCB record creation and investigate any suspicious activity.

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6233-1 pdns security update
History

Tue, 12 May 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.
Title Insufficient validation of HTTPS and SVCB records
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:24:57.121Z

Reserved: 2026-03-23T12:58:38.267Z

Link: CVE-2026-33611

cve-icon Vulnrichment

Updated: 2026-04-22T14:24:08.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:55.000

Modified: 2026-05-12T20:16:46.797

Link: CVE-2026-33611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses