Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2026-26017.md

Created March 6, 2026 18:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/a8817b46e521d68e9ffadb12fd700261 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/a8817b46e521d68e9ffadb12fd700261 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-26017: CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain - CVE Security Report
Raw
CVE-2026-26017.md

CVE-2026-26017: CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain

CVSS Score: 7.7 Published: 2026-03-06 Full Report: https://cvereports.com/reports/CVE-2026-26017

Summary

A logical vulnerability in CoreDNS versions prior to 1.14.2 allows attackers to bypass access control lists (ACLs) via a Time-of-Check Time-of-Use (TOCTOU) flaw. The default plugin execution order processes security enforcement plugins (such as acl, firewall, and opa) before the rewrite plugin. Consequently, an attacker can query a permitted domain name that is subsequently rewritten to a restricted internal domain, bypassing the intended security policies and resolving the restricted target.

TL;DR

CoreDNS < 1.14.2 evaluates ACLs before rewriting query names. Attackers can query an allowed domain that rewrites to a restricted internal domain, bypassing security controls.

Technical Details

  • CWE ID: CWE-367 (TOCTOU)
  • Attack Vector: Network
  • CVSS v3.1: 7.7 (High)
  • Impact: ACL Bypass / Information Disclosure
  • Exploit Status: No Active Exploitation
  • Fixed Version: 1.14.2

Affected Systems

  • CoreDNS < 1.14.2
  • Kubernetes clusters using default CoreDNS images < 1.14.2
  • Custom DNS deployments using rewrite and acl plugins together
  • CoreDNS: < 1.14.2 (Fixed in: 1.14.2)

Mitigation

  • Upgrade CoreDNS to version 1.14.2 or later.
  • Manually reorder plugin.cfg in custom builds to place rewrite before acl.
  • Audit existing rewrite rules to ensure no aliases point to sensitive internal targets without secondary protections.

Remediation Steps:

  1. Check the running CoreDNS version: coredns -version.
  2. If version is < 1.14.2, update the container image or binary to the latest stable release.
  3. If using a custom compiled version: Open plugin.cfg.
  4. Locate the rewrite plugin line.
  5. Move the rewrite line strictly above acl, firewall, and opa lines.
  6. Re-run make or go generate && go build to produce the patched binary.
  7. Deploy the new binary and verify plugin order by checking logs during startup (plugins load in the configured order).

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment