Vulnerability CVE-2026-24308: Information

Description

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

Severity: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-24308
Published: March 7, 2026
Modified: March 10, 2026
Error type identifier: CWE-532

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
kafkasisyphus4.2.0-alt24.2.0-alt4ALT-PU-2026-5782-1414376Fixed
kafkasisyphus_loongarch644.2.0-alt34.2.0-alt4ALT-PU-2026-5915-1-Fixed
kafkac10f24.2.0-alt33.9.1-alt2.c10.1ALT-PU-2026-5788-1414377Testing

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
  • Mailing List
  • Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/03/07/5
  • Mailing List
  • Third Party Advisory
GHSA-crhr-qqj8-rpxc
      1. cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
        Start including
        3.8.0
        End excluding
        3.8.6
        cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*
        Start including
        3.9.0
        End excluding
        3.9.5
    VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
    Version: v26.2.2
    Back to top