Description
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.

An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.

This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.
Published: 2026-05-05
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CoreDNS versions before 1.14.3 contain a false-accept bug in TSIG handling across gRPC, QUIC, DoH, and DoH3 transports. The server verifies the presence of a configured key name but never validates the HMAC, and for DoH/DoH3 it ignores TSIG records entirely. As a result, any request that includes a TSIG record is treated as authenticated, granting the attacker the ability to perform zone transfers (AXFR/IXFR), dynamic updates, or other privileged operations that would normally require a valid TSIG key. This flaw is a classic authentication bypass (CWE‑287).

Affected Systems

The vulnerable component is the CoreDNS DNS server provided by the coredns organization. All releases prior to 1.14.3 are affected. CoreDNS is widely deployed in Kubernetes and cloud-native environments as the default DNS server. The issue is resolved in release 1.14.3 and later.

Risk and Exploitability

The CVSS score of 8.2 reflects significant remote impact. Although no EPSS value is available, the vulnerability is exploitable by any network adversary with reach to the affected ports; the attacker does not need to know a valid key for DoH or DoH3. The vulnerability is not listed in the CISA KEV catalog, but the lack of persistence does not diminish the risk to environments exposing TSIG-enabled transports. The attack path involves sending a forged TSIG‑bearing packet to the server and receiving privileged actions such as unauthorized zone data or server state changes.

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreDNS to version 1.14.3 or later, which implements correct TSIG verification for all transports.
  • If an upgrade is not feasible, disable the gRPC, QUIC, DoH, and DoH3 listeners that require TSIG authentication to prevent forged requests from reaching the server.
  • Enforce network-level restrictions on the ports used by those transports, allowing traffic only from trusted sources; a firewall or security group can enforce this limitation.

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp29-5652-4fw9 CoreDNS has TSIG authentication bypass on gRPC and QUIC transports
History

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Coredns.io
Coredns.io coredns
Vendors & Products Coredns.io
Coredns.io coredns

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.
Title CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:29:16.903Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35579

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T21:16:22.247

Modified: 2026-05-05T21:16:22.247

Link: CVE-2026-35579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:00:09Z

Weaknesses