VDB

DEBIAN-CVE-2026-24308

DEBIAN-CVE-2026-24308 PUBLISHED CVSS 7.5 HIGH

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Debian:11zookeeper3.8.0-6, 3.9.5-1, 0
Debian:14zookeeper3.9.3-1, 3.9.3-2, 3.9.4-1
Debian:12zookeeper0, 0, 3.8.0-11
Debian:13zookeeper0, 3.9.3-1, 3.9.3-2

Exploit Intelligence

Timeline

  • Mar 7, 2026 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›