Apache ZooKeeper patches two important flaws that can expose sensitive data and weaken trust checks

Apache ZooKeeper has disclosed two important-severity vulnerabilities that administrators should patch quickly. The flaws can expose sensitive client configuration data in log files and weaken hostname verification in TLS connections, and Apache says both issues affect the 3.8.x and 3.9.x branches up to 3.8.5 and 3.9.4.

Apache recommends upgrading to ZooKeeper 3.8.6 or 3.9.5. Those releases fix both CVE-2026-24308 and CVE-2026-24281, according to the project’s official security page.

The first flaw, CVE-2026-24308, is a sensitive information disclosure issue in ZKConfig. Apache says improper handling of configuration values can expose sensitive information stored in client configuration through the client’s log file at INFO logging level, which can put production systems at risk if attackers or unauthorized users can access those logs.

The second flaw, CVE-2026-24281, affects ZooKeeper’s ZKTrustManager. Apache says hostname verification falls back to reverse DNS, or PTR lookup, when IP Subject Alternative Name validation fails. That can let an attacker who controls or spoofs PTR records impersonate ZooKeeper servers or clients if they also present a certificate trusted by ZKTrustManager.

In practical terms, the first bug creates a data exposure risk, while the second can weaken the trust model used in secure ZooKeeper deployments. The second issue is harder to exploit because the attacker still needs a trusted certificate, but Apache still classifies it as important and shipped a direct fix for it.

What the two ZooKeeper vulnerabilities do

Apache says CVE-2026-24308 affects Apache ZooKeeper 3.9.0 through 3.9.4 and 3.8.0 through 3.8.5. The issue does not require a separate exploit chain inside ZooKeeper itself. Instead, sensitive configuration values can end up written to the client log file at INFO level, creating an exposure path through log access.

Apache credits researcher Youlong Chen with reporting CVE-2026-24308. The project’s advisory explicitly says users should upgrade to 3.8.6 or 3.9.5 to resolve the issue.

For CVE-2026-24281, Apache says the same version ranges are affected: 3.9.0 through 3.9.4 and 3.8.0 through 3.8.5. The project tracks this issue internally as ZOOKEEPER-4986.

Apache credits Nikita Markevich with reporting the hostname verification bypass. The fix introduces a new configuration option that disables reverse DNS lookup in client and quorum protocols, which closes the fallback behavior that created the risk.

ZooKeeper flaws at a glance

What admins should do now

• Upgrade ZooKeeper to 3.8.6 or 3.9.5. Apache lists those as the fixed releases for both issues.
• Review client log files and archived logs for exposed sensitive configuration values if you ran affected versions. This step is a reasonable response based on Apache’s description of CVE-2026-24308 leaking data into client logs.
• Review TLS and certificate validation settings in ZooKeeper environments that use client or quorum protocols, especially if reverse DNS behavior could affect hostname verification. This is an inference based on Apache’s explanation of CVE-2026-24281 and its new configuration option.
• Track ZOOKEEPER-4986 if your team follows Apache issue references during patch validation. Apache links that internal issue directly from the advisory.

Why this matters

ZooKeeper often sits underneath distributed systems that depend on it for coordination, naming, and configuration. A logging flaw that exposes sensitive values can therefore spill operational secrets, while a trust verification flaw can weaken the security of node-to-node or client-to-server communication. That risk framing is an inference from the official descriptions, but it matches the role ZooKeeper plays in production environments.

The good news is that Apache has already published the fixes, and the affected version ranges are clear. For most teams, this should now be a straightforward patching and review exercise rather than a wait-and-see situation.

FAQ