CVE-2026-26017 Overview
CoreDNS is a widely-deployed DNS server that implements a modular architecture through chainable plugins. A logical vulnerability in CoreDNS versions prior to 1.14.2 allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw that can undermine access control policies.
Critical Impact
Attackers with low privileges can bypass DNS access controls by exploiting the plugin execution order, potentially gaining unauthorized access to sensitive DNS records protected by ACL policies.
Affected Products
- coredns.io coredns (versions prior to 1.14.2)
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-26017 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2026-26017
Vulnerability Analysis
This vulnerability represents a classic Time-of-Check Time-of-Use (TOCTOU) race condition flaw (CWE-367) in the CoreDNS plugin architecture. The root issue stems from how CoreDNS processes DNS requests through its plugin chain. When the acl plugin performs access control checks, it evaluates the original DNS query before the rewrite plugin has the opportunity to modify the request. This creates a window where an attacker can craft a request that passes ACL validation but is subsequently rewritten to access protected resources.
The vulnerability can be exploited over the network and requires low privileges to execute. The changed scope in the vulnerability assessment indicates that successful exploitation can impact resources beyond the vulnerable component itself, potentially exposing confidential DNS records that should be protected by access control policies.
Root Cause
The vulnerability originates from a design flaw in the default plugin execution order within CoreDNS. Security-focused plugins like acl are positioned earlier in the plugin chain than transformation plugins like rewrite. This architectural decision means that access control decisions are made against the original request rather than the final, potentially rewritten request. When the rewrite plugin subsequently modifies the DNS query, the access control check performed earlier becomes invalidated, creating the TOCTOU condition.
Attack Vector
An attacker can exploit this vulnerability by crafting DNS queries that are designed to pass the initial ACL checks but are then rewritten to target protected DNS zones or records. The attack proceeds as follows:
- The attacker identifies protected DNS resources behind ACL rules
- The attacker constructs a DNS query that targets an allowed resource
- The acl plugin validates the request and permits it through
- The rewrite plugin modifies the query to target the protected resource
- The modified query is processed, bypassing the intended access controls
This exploitation technique allows unauthorized information disclosure of DNS records that should be restricted by access control policies. The attack requires network access to the CoreDNS server and assumes the attacker has at least minimal authenticated access to the DNS service.
Detection Methods for CVE-2026-26017
Indicators of Compromise
- Unusual DNS query patterns that appear to target allowed resources but result in responses from protected zones
- DNS query logs showing rewrite activity immediately following ACL-permitted queries to unexpected destinations
- Anomalous access patterns where users or systems receive DNS responses for records they should not have access to
Detection Strategies
- Monitor CoreDNS logs for discrepancies between ACL-allowed queries and final resolved records
- Implement DNS query analysis to detect patterns of queries that exploit rewrite rules following ACL checks
- Deploy network-level monitoring to correlate DNS request/response pairs and identify unauthorized information disclosure
Monitoring Recommendations
- Enable verbose logging for both acl and rewrite plugins to capture the full query transformation chain
- Establish baseline DNS query patterns and alert on deviations that may indicate exploitation attempts
- Integrate CoreDNS logs with SIEM solutions to correlate potential bypass attempts with other security events
How to Mitigate CVE-2026-26017
Immediate Actions Required
- Upgrade CoreDNS to version 1.14.2 or later immediately
- Review and audit existing ACL and rewrite plugin configurations for potential bypass scenarios
- Consider temporarily disabling the rewrite plugin if immediate upgrade is not possible and ACL enforcement is critical
- Implement network segmentation to limit exposure of CoreDNS servers to trusted networks only
Patch Information
CoreDNS has released version 1.14.2 which addresses this TOCTOU vulnerability. The patch modifies the plugin execution order or evaluation logic to ensure access control checks account for potential query rewrites. Organizations should upgrade to this version as soon as possible.
For detailed patch information, refer to the GitHub CoreDNS Release v1.14.2 and the GitHub Security Advisory GHSA-c9v3-4pv7-87pr.
Workarounds
- Manually reorder plugins in the Corefile configuration to ensure rewrite is processed before acl where architecturally feasible
- Implement duplicate access control checks at the network level using firewall rules or DNS proxy filters
- Review and restrict rewrite rules to prevent transformations that could target ACL-protected resources
- Deploy additional monitoring and alerting for any DNS queries that involve both ACL and rewrite plugin activity
# Configuration example - Review Corefile plugin order
# Ensure critical security plugins are positioned appropriately
# Upgrade to CoreDNS 1.14.2+ to properly address this vulnerability
kubectl set image deployment/coredns coredns=coredns/coredns:1.14.2 -n kube-system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
