{"api_version":"1","generated_at":"2026-07-16T22:39:48+00:00","cve":"CVE-2026-26017","urls":{"html":"https://cve.report/CVE-2026-26017","api":"https://cve.report/api/cve/CVE-2026-26017.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26017","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26017"},"summary":{"title":"CoreDNS ACL Bypass","description":"CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-06 16:16:10","updated_at":"2026-07-15 02:18:59"},"problem_types":["CWE-367","CWE-367 CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition","CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.7","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr","name":"https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr","refsource":"security-advisories@github.com","tags":["Mitigation","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-26017","name":"https://access.redhat.com/security/cve/CVE-2026-26017","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/coredns/coredns/releases/tag/v1.14.2","name":"https://github.com/coredns/coredns/releases/tag/v1.14.2","refsource":"security-advisories@github.com","tags":["Product","Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:25127","name":"https://access.redhat.com/errata/RHSA-2026:25127","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:36873","name":"https://access.redhat.com/errata/RHSA-2026:36873","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:8151","name":"https://access.redhat.com/errata/RHSA-2026:8151","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26017.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26017.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445244","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2445244","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26017","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26017","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"coredns","product":"coredns","version":"affected < 1.14.2","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2.13","version":"unaffected 1782924920 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2.13","version":"unaffected 1782924937 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2.14","version":"unaffected 1780204232 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2.14","version":"unaffected 1780204249 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Advanced Cluster Management for Kubernetes 2.15","version":"unaffected 1774086225 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Connectivity Link 1","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat OpenShift Container Platform 4","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-03-06T16:01:45.971Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-03-06T15:36:15.655Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:36873: Red Hat Advanced Cluster Management for Kubernetes 2.13","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:8151: Red Hat Advanced Cluster Management for Kubernetes 2.15","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"26017","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"coredns.io","cpe5":"coredns","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26017","cve":"CVE-2026-26017","epss":"0.003850000","percentile":"0.307120000","score_date":"2026-07-15","updated_at":"2026-07-16 00:08:44"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26017","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-06T16:06:32.284525Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-03-06T16:06:41.093Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:acm:2.13::el9"],"defaultStatus":"affected","packageName":"rhacm2/lighthouse-agent-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1782924920","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:acm:2.13::el9"],"defaultStatus":"affected","packageName":"rhacm2/lighthouse-coredns-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2.13","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1782924937","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:acm:2.14::el9"],"defaultStatus":"affected","packageName":"rhacm2/lighthouse-agent-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2.14","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1780204232","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:acm:2.14::el9"],"defaultStatus":"affected","packageName":"rhacm2/lighthouse-coredns-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2.14","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1780204249","versionType":"rpm"}]},{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:acm:2.15::el9"],"defaultStatus":"affected","packageName":"rhacm2/lighthouse-coredns-rhel9","product":"Red Hat Advanced Cluster Management for Kubernetes 2.15","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1774086225","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:connectivity_link:1"],"defaultStatus":"affected","packageName":"rhcl-1/coredns-rhel9","product":"Red Hat Connectivity Link 1","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"unaffected","packageName":"openshift4/ose-coredns-rhel9","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2026-03-06T15:36:15.655Z","descriptions":[{"lang":"en","value":"A flaw was found in CoreDNS, a DNS server that uses a chain of plugins. This logical vulnerability allows an attacker to bypass DNS access controls. The issue occurs because security plugins, such as 'acl', are evaluated before the 'rewrite' plugin, creating a Time-of-Check Time-of-Use (TOCTOU) flaw. This flaw enables an attacker to circumvent intended access restrictions."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-367","description":"Time-of-check Time-of-use (TOCTOU) Race Condition","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T01:15:36.058Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26017"},{"name":"RHBZ#2445244","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445244"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26017.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36873"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25127"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8151"}],"solutions":[{"lang":"en","value":"RHSA-2026:36873: Red Hat Advanced Cluster Management for Kubernetes 2.13"},{"lang":"en","value":"RHSA-2026:25127: Red Hat Advanced Cluster Management for Kubernetes 2.14"},{"lang":"en","value":"RHSA-2026:8151: Red Hat Advanced Cluster Management for Kubernetes 2.15"}],"timeline":[{"lang":"en","time":"2026-03-06T16:01:45.971Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-06T15:36:15.655Z","value":"Made public."}],"title":"github.com/coredns/coredns: CoreDNS: DNS access control bypass due to plugin execution order flaw","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"coredns","vendor":"coredns","versions":[{"status":"affected","version":"< 1.14.2"}]}],"descriptions":[{"lang":"en","value":"CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-367","description":"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-06T15:36:15.655Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr"},{"name":"https://github.com/coredns/coredns/releases/tag/v1.14.2","tags":["x_refsource_MISC"],"url":"https://github.com/coredns/coredns/releases/tag/v1.14.2"}],"source":{"advisory":"GHSA-c9v3-4pv7-87pr","discovery":"UNKNOWN"},"title":"CoreDNS ACL Bypass"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-26017","datePublished":"2026-03-06T15:36:15.655Z","dateReserved":"2026-02-09T21:36:29.554Z","dateUpdated":"2026-07-15T01:15:36.058Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-06 16:16:10","lastModifiedDate":"2026-07-15 02:18:59","problem_types":["CWE-367","CWE-367 CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition","CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":4},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-06T16:06:32.284525Z","id":"CVE-2026-26017","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:coredns.io:coredns:*:*:*:*:*:*:*:*","versionEndExcluding":"1.14.2","matchCriteriaId":"B72A7A10-A05D-47A2-93A8-076E4C944D23"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26017","Ordinal":"1","Title":"CoreDNS ACL Bypass","CVE":"CVE-2026-26017","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26017","Ordinal":"1","NoteData":"CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw. This issue has been patched in version 1.14.2.","Type":"Description","Title":"CoreDNS ACL Bypass"}]}}}