Description
CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary.

An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name.

This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.
Published: 2026-05-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CoreDNS before version 1.14.3 has a false‑accept bug in TSIG handling across gRPC, QUIC, DoH, and DoH3. The server verifies the presence of a configured key name but never validates the HMAC, and for DoH/DoH3 it ignores TSIG records entirely, so any request with a TSIG record is treated as authenticated. This leads to an authentication bypass (CWE‑287) and also effectively grants unrestricted access to TSIG‑protected operations such as zone transfers and dynamic updates (CWE‑303). Attackers can perform unauthorized zone transfers, dynamic DNS updates, or other privileged operations that normally require a valid TSIG key.

Affected Systems

The vulnerable component is CoreDNS, released by the coredns organization. All builds prior to version 1.14.3 are affected. CoreDNS is widely used in Kubernetes and cloud‑native environments. The issue is fixed in release 1.14.3.

Risk and Exploitability

The CVSS score of 8.2 reflects significant remote impact. The EPSS score of 0.00066 indicates a very low but non-zero probability that an attacker will exploit this vulnerability, but it remains exploitable by any network adversary with reach to the affected ports; the attacker does not need to know a valid key for DoH or DoH3. The vulnerability is not listed in the CISA KEV catalog, but the lack of persistence does not diminish the risk to environments exposing TSIG‑enabled transports. The attack path involves sending a forged TSIG‑bearing packet to the server and receiving privileged actions such as unauthorized zone data or server state changes.

Generated by OpenCVE AI on May 14, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CoreDNS to version 1.14.3 or later, which implements correct TSIG verification for all transports.
  • If an upgrade is not feasible, disable the gRPC, QUIC, DoH, and DoH3 listeners that require TSIG authentication to prevent forged requests from reaching the server.
  • Enforce network‑level restrictions on the ports used by those transports, allowing traffic only from trusted sources; a firewall or security group can enforce this limitation.

Generated by OpenCVE AI on May 14, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp29-5652-4fw9 CoreDNS has TSIG authentication bypass on gRPC and QUIC transports
History

Thu, 14 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-303
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:coredns.io:coredns:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Coredns.io
Coredns.io coredns
Vendors & Products Coredns.io
Coredns.io coredns

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate the HMAC. If the key name matches a configured key, the tsigStatus field remains nil and the tsig plugin treats the request as successfully authenticated regardless of the MAC value. For DoH and DoH3, the issue is more severe: the DoHWriter.TsigStatus() method unconditionally returns nil, and the server never inspects the TSIG record at all. Any request containing a TSIG record is treated as authenticated over DoH and DoH3, even if the key name is invalid and the MAC is arbitrary. An unauthenticated network attacker can exploit this to bypass TSIG-protected functionality such as AXFR/IXFR zone transfers, dynamic DNS updates, or other TSIG-gated plugin behavior. The DoH and DoH3 variants have a lower exploitation bar because the attacker does not need to know a valid TSIG key name. This issue has been fixed in version 1.14.3. As a workaround, disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required, or restrict network-level access to affected transport ports to trusted sources only.
Title CoreDNS TSIG authentication bypass on gRPC, QUIC, DoH, and DoH3 transports
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Coredns.io Coredns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T14:30:35.454Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35579

cve-icon Vulnrichment

Updated: 2026-05-06T14:30:27.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T21:16:22.247

Modified: 2026-05-08T15:58:53.173

Link: CVE-2026-35579

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-05T20:29:16Z

Links: CVE-2026-35579 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:00:20Z

Weaknesses