Vulnerability-Lookup

CVE-2026-33190 (GCVE-0-2026-33190)

Vulnerability from cvelistv5 – Published: 2026-05-05 19:02 – Updated: 2026-05-06 12:47

Title

CoreDNS TSIG authentication bypass on encrypted DNS transports

Summary

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-303 - Incorrect Implementation of Authentication Algorithm

Assigner

GitHub_M

References

URL

Tags

	https://github.com/coredns/coredns/security/advis…	x_refsource_CONFIRM
	https://github.com/coredns/coredns/releases/tag/v1.14.3	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	coredns	coredns	Affected: < 1.14.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33190",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-06T12:46:45.291268Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-06T12:47:07.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "coredns",
          "vendor": "coredns",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.14.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T19:02:55.374Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
        },
        {
          "name": "https://github.com/coredns/coredns/releases/tag/v1.14.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
        }
      ],
      "source": {
        "advisory": "GHSA-qhmp-q7xh-99rh",
        "discovery": "UNKNOWN"
      },
      "title": "CoreDNS TSIG authentication bypass on encrypted DNS transports"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33190",
    "datePublished": "2026-05-05T19:02:55.374Z",
    "dateReserved": "2026-03-17T22:16:36.721Z",
    "dateUpdated": "2026-05-06T12:47:07.338Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-33190",
      "date": "2026-05-06",
      "epss": "0.00068",
      "percentile": "0.20675"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33190\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-05T20:16:36.167\",\"lastModified\":\"2026-05-06T13:16:08.037\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-303\"}]}],\"references\":[{\"url\":\"https://github.com/coredns/coredns/releases/tag/v1.14.3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33190\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-06T12:46:45.291268Z\"}}}], \"references\": [{\"url\": \"https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-06T12:47:04.599Z\"}}], \"cna\": {\"title\": \"CoreDNS TSIG authentication bypass on encrypted DNS transports\", \"source\": {\"advisory\": \"GHSA-qhmp-q7xh-99rh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"coredns\", \"product\": \"coredns\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.14.3\"}]}], \"references\": [{\"url\": \"https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh\", \"name\": \"https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/coredns/coredns/releases/tag/v1.14.3\", \"name\": \"https://github.com/coredns/coredns/releases/tag/v1.14.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-303\", \"description\": \"CWE-303: Incorrect Implementation of Authentication Algorithm\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-05T19:02:55.374Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33190\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-06T12:47:07.338Z\", \"dateReserved\": \"2026-03-17T22:16:36.721Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-05T19:02:55.374Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2026:10673-1

Vulnerability from csaf_opensuse - Published: 2026-05-04 00:00 - Updated: 2026-05-04 00:00

Summary

coredns-1.14.3-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: coredns-1.14.3-1.1 on GA media

Description of the patch: These are all security issues fixed in the coredns-1.14.3-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10673

CVE-2026-27140

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-27144

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32282

6.3 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-33190

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-27140/	self
	https://www.suse.com/security/cve/CVE-2026-27144/	self
	https://www.suse.com/security/cve/CVE-2026-32282/	self
	https://www.suse.com/security/cve/CVE-2026-33190/	self
	https://www.suse.com/security/cve/CVE-2026-27140	external
	https://bugzilla.suse.com/1261653	external
	https://www.suse.com/security/cve/CVE-2026-27144	external
	https://bugzilla.suse.com/1261655	external
	https://www.suse.com/security/cve/CVE-2026-32282	external
	https://bugzilla.suse.com/1261658	external
	https://www.suse.com/security/cve/CVE-2026-33190	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "coredns-1.14.3-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the coredns-1.14.3-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10673",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10673-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27140 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27140/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-27144 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-27144/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32282 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32282/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-33190 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-33190/"
      }
    ],
    "title": "coredns-1.14.3-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-04T00:00:00Z",
      "generator": {
        "date": "2026-05-04T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10673-1",
      "initial_release_date": "2026-05-04T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-04T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.3-1.1.aarch64",
                "product": {
                  "name": "coredns-1.14.3-1.1.aarch64",
                  "product_id": "coredns-1.14.3-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "coredns-extras-1.14.3-1.1.aarch64",
                "product": {
                  "name": "coredns-extras-1.14.3-1.1.aarch64",
                  "product_id": "coredns-extras-1.14.3-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.3-1.1.ppc64le",
                "product": {
                  "name": "coredns-1.14.3-1.1.ppc64le",
                  "product_id": "coredns-1.14.3-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "coredns-extras-1.14.3-1.1.ppc64le",
                "product": {
                  "name": "coredns-extras-1.14.3-1.1.ppc64le",
                  "product_id": "coredns-extras-1.14.3-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.3-1.1.s390x",
                "product": {
                  "name": "coredns-1.14.3-1.1.s390x",
                  "product_id": "coredns-1.14.3-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "coredns-extras-1.14.3-1.1.s390x",
                "product": {
                  "name": "coredns-extras-1.14.3-1.1.s390x",
                  "product_id": "coredns-extras-1.14.3-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "coredns-1.14.3-1.1.x86_64",
                "product": {
                  "name": "coredns-1.14.3-1.1.x86_64",
                  "product_id": "coredns-1.14.3-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "coredns-extras-1.14.3-1.1.x86_64",
                "product": {
                  "name": "coredns-extras-1.14.3-1.1.x86_64",
                  "product_id": "coredns-extras-1.14.3-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64"
        },
        "product_reference": "coredns-1.14.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le"
        },
        "product_reference": "coredns-1.14.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x"
        },
        "product_reference": "coredns-1.14.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-1.14.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64"
        },
        "product_reference": "coredns-1.14.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-extras-1.14.3-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64"
        },
        "product_reference": "coredns-extras-1.14.3-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-extras-1.14.3-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le"
        },
        "product_reference": "coredns-extras-1.14.3-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-extras-1.14.3-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x"
        },
        "product_reference": "coredns-extras-1.14.3-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "coredns-extras-1.14.3-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
        },
        "product_reference": "coredns-extras-1.14.3-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27140",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27140"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "SWIG file names containing \u0027cgo\u0027 and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27140",
          "url": "https://www.suse.com/security/cve/CVE-2026-27140"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261653 for CVE-2026-27140",
          "url": "https://bugzilla.suse.com/1261653"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-04T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-27140"
    },
    {
      "cve": "CVE-2026-27144",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-27144"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-27144",
          "url": "https://www.suse.com/security/cve/CVE-2026-27144"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261655 for CVE-2026-27144",
          "url": "https://bugzilla.suse.com/1261655"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-04T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-27144"
    },
    {
      "cve": "CVE-2026-32282",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32282"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32282",
          "url": "https://www.suse.com/security/cve/CVE-2026-32282"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1261658 for CVE-2026-32282",
          "url": "https://bugzilla.suse.com/1261658"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-04T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-32282"
    },
    {
      "cve": "CVE-2026-33190",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-33190"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
          "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-33190",
          "url": "https://www.suse.com/security/cve/CVE-2026-33190"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-1.14.3-1.1.x86_64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.aarch64",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.ppc64le",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.s390x",
            "openSUSE Tumbleweed:coredns-extras-1.14.3-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-04T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-33190"
    }
  ]
}

GHSA-QHMP-Q7XH-99RH

Vulnerability from github – Published: 2026-04-28 22:46 – Updated: 2026-04-28 22:46

Summary

CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

Details

Summary

CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.

Details

The tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go)

Two affected transports are shown directly in the PoC: - DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain. - DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go).

The same transport-family bug pattern also appears on other transports: - DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior. - DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go). - gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go).

The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience.

PoC

Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
Run python3 ./tsig-repro.py
Expected output: *** Start CoreDNS *** Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log

*** Baseline (plain TCP) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=9 (expected NOTAUTH=9)

*** Candidate (DoT) *** no_tsig rcode=5 (expected REFUSED=5) invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)

*** Candidate (DoH) *** no_tsig http=200 rcode=5 (expected REFUSED=5) invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)

*** OK *** TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it. Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json

Impact

Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/coredns/coredns"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-28T22:46:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nCoreDNS\u0027 tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.\n\n### Details\nThe tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go)\n\nTwo affected transports are shown directly in the PoC:\n- DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain.\n- DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go).\n\nThe same transport-family bug pattern also appears on other transports:\n- DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -\u003e core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior.\n- DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go).\n- gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go).\n\nThe attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience.\n\n### PoC\n1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)\n2. Run python3 ./tsig-repro.py\n3. Expected output:\n*** Start CoreDNS ***\nCorefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile\nLog: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log\n\n*** Baseline (plain TCP) ***\nno_tsig rcode=5 (expected REFUSED=5)\ninvalid_tsig rcode=9 (expected NOTAUTH=9)\n\n*** Candidate (DoT) ***\nno_tsig rcode=5 (expected REFUSED=5)\ninvalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount\u003e0)\n\n*** Candidate (DoH) ***\nno_tsig http=200 rcode=5 (expected REFUSED=5)\ninvalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount\u003e0)\n\n*** OK ***\nTSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it.\nResults: /tmp/vh-f001-tsig-doh-dot-bypass/results.json\n\n\n### Impact\nUnauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).",
  "id": "GHSA-qhmp-q7xh-99rh",
  "modified": "2026-04-28T22:46:15Z",
  "published": "2026-04-28T22:46:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coredns/coredns"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC"
}

FKIE_CVE-2026-33190

Vulnerability from fkie_nvd - Published: 2026-05-05 20:16 - Updated: 2026-05-06 13:16

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/coredns/coredns/releases/tag/v1.14.3
	security-advisories@github.com	https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer\u0027s TsigStatus() instead of performing verification itself. The DoH and DoH3 writer\u0027s TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3."
    }
  ],
  "id": "CVE-2026-33190",
  "lastModified": "2026-05-06T13:16:08.037",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-05T20:16:36.167",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/coredns/coredns/releases/tag/v1.14.3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-303"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33190 (GCVE-0-2026-33190)

OPENSUSE-SU-2026:10673-1

GHSA-QHMP-Q7XH-99RH

Summary

Details

PoC

Impact

FKIE_CVE-2026-33190

Tags

Sightings

Nomenclature