cvedb.io
CVE-2026-33489
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-05-05T20:16:36.627 · Last modified 2026-06-17T10:37:35.243

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.

Affected products

coredns.io — coredns

Does this affect you?

Add your gear to cvedb and we'll alert you only when coredns.io ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.