anonhaven
Ad

CVE-2026-26017

HIGH CVSS 3.1: 7.7
Updated Mar 06, 2026
Coredns
Parameter Value
CVSS 7.7 (HIGH)
Fixed In 1.14.2
Type CWE-367 (Time-of-check Time-of-use TOCTOU (Гонка проверки и использования))
Vendor Coredns
Public PoC No

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.

This issue has been patched in version 1.14.2.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Privileges Required
Low
Нужны базовые права
User Interaction
None
Не нужно действие пользователя

Impact Assessment

Confidentiality
High
Полная утечка данных
Integrity
None
Нет модификации данных
Availability
None
Нет нарушения работы

CVSS Vector v3.1

Weakness Type (CWE)

CWE-367 Time-of-check Time-of-use TOCTOU (Гонка проверки и использования)

References 2

https://github.com/coredns/coredns/releases/tag/v1.14.2
security-advisories@github.com
https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-26018

Coredns

7.5