DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26017: CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain

#security #cve #cybersecurity

CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain

Vulnerability ID: CVE-2026-26017
CVSS Score: 7.7
Published: 2026-03-06

A logical vulnerability in CoreDNS versions prior to 1.14.2 allows attackers to bypass access control lists (ACLs) via a Time-of-Check Time-of-Use (TOCTOU) flaw. The default plugin execution order processes security enforcement plugins (such as acl, firewall, and opa) before the rewrite plugin. Consequently, an attacker can query a permitted domain name that is subsequently rewritten to a restricted internal domain, bypassing the intended security policies and resolving the restricted target.

TL;DR

CoreDNS < 1.14.2 evaluates ACLs before rewriting query names. Attackers can query an allowed domain that rewrites to a restricted internal domain, bypassing security controls.

Technical Details

  • CWE ID: CWE-367 (TOCTOU)
  • Attack Vector: Network
  • CVSS v3.1: 7.7 (High)
  • Impact: ACL Bypass / Information Disclosure
  • Exploit Status: No Active Exploitation
  • Fixed Version: 1.14.2

Affected Systems

  • CoreDNS < 1.14.2
  • Kubernetes clusters using default CoreDNS images < 1.14.2
  • Custom DNS deployments using rewrite and acl plugins together
  • CoreDNS: < 1.14.2 (Fixed in: 1.14.2)

Code Analysis

Commit: ccd88b2

Update miekg/dns to v1.1.72 for consistent normalization

go.mod updates and dependency upgrades
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade CoreDNS to version 1.14.2 or later.
  • Manually reorder plugin.cfg in custom builds to place rewrite before acl.
  • Audit existing rewrite rules to ensure no aliases point to sensitive internal targets without secondary protections.

Remediation Steps:

  1. Check the running CoreDNS version: coredns -version.
  2. If version is < 1.14.2, update the container image or binary to the latest stable release.
  3. If using a custom compiled version: Open plugin.cfg.
  4. Locate the rewrite plugin line.
  5. Move the rewrite line strictly above acl, firewall, and opa lines.
  6. Re-run make or go generate && go build to produce the patched binary.
  7. Deploy the new binary and verify plugin order by checking logs during startup (plugins load in the configured order).

References

Read the full report for CVE-2026-26017 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)