Security Alert: Two Critical Vulnerabilities in Apache ZooKeeper May Lead to Data Leakage and Server Impersonation

Cybersecurity researchers have recently disclosed two significant vulnerabilities in Apache ZooKeeper, an open-source coordination service widely used to manage configuration, synchronization, and distributed services in modern infrastructures.

If exploited, these vulnerabilities could expose sensitive configuration data or allow attackers to impersonate trusted servers, potentially undermining the security of distributed systems.

The vulnerabilities are tracked as CVE-2026-24308 and CVE-2026-24281, affecting ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4. Security fixes have been released in version 3.8.6 and 3.9.5.

What is Apache ZooKeeper and why it matters

Apache ZooKeeper is a distributed coordination service developed by the Apache Software Foundation. It is commonly used to manage configuration data, naming services, synchronization, and group services in distributed applications.

ZooKeeper is frequently deployed in large-scale systems such as:

• Big data platforms

• Microservices architectures

• Distributed clusters including Apache Kafka, Apache Hadoop, and Apache HBase

• High-availability cluster infrastructures

Because ZooKeeper often acts as a central coordination component, vulnerabilities in this service can potentially impact multiple services across the infrastructure.

Details of the vulnerabilities

1. CVE-2026-24308 – Sensitive configuration data leakage

The vulnerability CVE-2026-24308 stems from improper handling of configuration parameters in the ZKConfig component.

In affected versions, certain sensitive client configuration values may be logged at the INFO level, potentially exposing confidential information if log files are accessed by unauthorized users.

Exposed information may include:

• configuration parameters

• authentication details

• client connection settings

If attackers gain access to these logs, they may collect sensitive data that could facilitate further attacks such as credential theft or unauthorized access.

The vulnerability has been rated high severity (CVSS around 7.5) due to the risk of exposing critical operational data.

2. CVE-2026-24281 – Server impersonation risk via reverse DNS

The second vulnerability, CVE-2026-24281, involves the hostname verification logic within ZKTrustManager.

During TLS verification, ZooKeeper typically validates the Subject Alternative Name (SAN) field in certificates. However, if this verification fails, the system may fall back to reverse DNS (PTR record) lookups to validate the hostname.

If an attacker can manipulate or control the PTR record, they may be able to impersonate a legitimate server or client, especially if they possess a trusted certificate.

Although exploiting this issue requires additional conditions (such as certificate control), it still presents a notable risk in complex enterprise infrastructures.

Affected versions

The vulnerabilities impact the following versions:

Security updates also introduce configuration options allowing administrators to disable reverse DNS lookup, reducing the risk of hostname verification bypass.

Potential risks for organizations

Since ZooKeeper is often deployed as a core component in distributed infrastructures, these vulnerabilities could lead to several security risks:

• exposure of sensitive configuration data

• server or client impersonation within clusters

• unauthorized access to distributed systems

• compromise of big data or microservices environments

In large infrastructures, a successful attack could potentially affect multiple services simultaneously, increasing the overall impact.

Security recommendations

Organizations using Apache ZooKeeper should take the following steps:

References: AdSecVN, VPN Central