Description
Insufficient Validation of Names During AXFR
Published: 2026-05-21
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Insufficient validation of domain names during AXFR allows a DNS server to return zone data for an arbitrary or malformed name that should normally be rejected. This flaw arises from an input validation weakness identified as CWE-77. The consequence is a confidentiality breach, where sensitive DNS records could be disclosed to an attacker. The CVSS score of 6.8 reflects a moderate severity level for this type of data exposure.

Affected Systems

The affected product is PowerDNS Authoritative. No specific version information is supplied by the CNA, so any deployment of PowerDNS that accepts AXFR requests and does not enforce strict name validation is potentially vulnerable. Administrators should verify against the vendor’s advisory to confirm whether their server release includes the fix.

Risk and Exploitability

The EPSS score of < 1% indicates little evidence of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it has not yet been widely abused. The likely attack vector, based on the description, is a network‑based AXFR request originating from an external host directed at the DNS server. Successful exploitation would let the adversary retrieve zone data for any name without authorization, assuming the server does not already enforce name validation or limit AXFR access.

Generated by OpenCVE AI on May 21, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerDNS Authoritative to a version that contains the name‑validation fix for AXFR operations.
  • If an immediate patch is not available, configure the server to restrict AXFR access to a whitelist of trusted IP addresses or disable AXFR entirely for zones that do not require transfer.
  • Apply firewall or ACL rules to block AXFR requests from untrusted IPs at the network perimeter.

Generated by OpenCVE AI on May 21, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6284-1 pdns security update
History

Thu, 21 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Thu, 21 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Insufficient Validation of Names During AXFR
Title Insufficient Validation of Names During AXFR
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-21T12:02:35.449Z

Reserved: 2026-04-23T11:15:21.198Z

Link: CVE-2026-42000

cve-icon Vulnrichment

Updated: 2026-05-21T12:02:05.030Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T10:16:25.563

Modified: 2026-05-21T15:27:51.530

Link: CVE-2026-42000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T16:30:14Z

Weaknesses