CVE-2026-41999 Overview
CVE-2026-41999 is a medium-severity vulnerability in PowerDNS Authoritative Server affecting the handling of views when used with TCP PROXY protocol requests. The flaw causes the server to apply incorrect view logic when processing DNS queries delivered over TCP connections that use the PROXY protocol header. As a result, clients may receive responses tied to a view other than the one their actual source address should be mapped to. The issue is documented in PowerDNS Security Advisory 2026-06.
Critical Impact
Authoritative DNS responses can leak across view boundaries, exposing records intended for restricted client groups and undermining segmentation policies built on PowerDNS views.
Affected Products
- PowerDNS Authoritative Server (versions referenced in PowerDNS Advisory 2026-06)
- Deployments using the PROXY protocol over TCP
- Configurations relying on views to segment DNS responses by client source
Discovery Timeline
- 2026-05-21 - CVE-2026-41999 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-41999
Vulnerability Analysis
PowerDNS Authoritative Server supports views, which return different record sets based on the source of the DNS query. Views depend on accurate client address resolution to apply the correct policy. The vulnerability arises when queries arrive over TCP with a PROXY protocol header that carries the real client address ahead of the DNS payload. The authoritative server fails to consistently use the PROXY-supplied address when evaluating view membership for these TCP requests. As a consequence, view selection diverges from the intended source-based policy, and the server may serve records belonging to a different view.
This behavior breaks the trust boundary that operators establish between view groups. Operators commonly use views to expose internal-only zones to internal resolvers while limiting external clients to public records. When view evaluation is incorrect, an external client connecting through a PROXY-aware front end can be matched against the wrong view, returning data not intended for it.
Root Cause
The root cause is incorrect handling of the client address context for TCP queries that include a PROXY protocol header. The view-matching logic does not consistently honor the PROXY-supplied source for TCP-delivered queries, producing a mismatch between the address used for transport and the address used for view selection. This is a configuration and design flaw in protocol handling rather than a memory safety issue.
Attack Vector
Exploitation is network-based and does not require authentication or user interaction. An attacker must send DNS queries over TCP through a PROXY-protocol-enabled path to a PowerDNS Authoritative Server configured with views. The attack complexity is high because it depends on a specific deployment topology: views configured, TCP transport used, and PROXY protocol enabled in front of the authoritative server. No verified public exploit code is available. See the PowerDNS Security Advisory 2026-06 for protocol-level details.
Detection Methods for CVE-2026-41999
Indicators of Compromise
- Authoritative DNS responses returning records that should be restricted to a different view than the requesting client.
- TCP DNS queries arriving with PROXY protocol headers from sources that should map to internal-only or restricted views.
- Discrepancies between UDP and TCP responses for the same query name from the same client identity.
Detection Strategies
- Compare authoritative responses for identical queries over UDP and TCP from clients that traverse PROXY-aware front ends, and flag divergences.
- Audit PowerDNS query logs for TCP queries handled through PROXY-enabled listeners and validate the resolved view against the expected source mapping.
- Correlate front-end PROXY header values with downstream PowerDNS view selection in centralized logging to identify mismatches.
Monitoring Recommendations
- Enable verbose query logging on PowerDNS Authoritative Server listeners that accept the PROXY protocol and ship logs to a central analytics platform.
- Monitor for unexpected NOERROR responses containing internal-zone records returned over TCP to external client ranges.
- Track the ratio of TCP to UDP queries reaching authoritative listeners, since attackers probing this issue must use TCP.
How to Mitigate CVE-2026-41999
Immediate Actions Required
- Apply the fixed PowerDNS Authoritative Server release referenced in PowerDNS Security Advisory 2026-06 as soon as it is available for your distribution.
- Inventory authoritative servers that combine views with PROXY protocol on TCP and prioritize them for patching.
- Review zone contents in restricted views to confirm whether any sensitive records may have been exposed.
Patch Information
PowerDNS published Security Advisory 2026-06 covering this issue. Refer to the advisory for the specific fixed versions and upgrade instructions for PowerDNS Authoritative Server: PowerDNS Security Advisory 2026-06.
Workarounds
- Disable the PROXY protocol on authoritative listeners until the patched version is deployed, if operationally feasible.
- Disable views on listeners that accept PROXY-protocol TCP connections, accepting reduced segmentation as a temporary trade-off.
- Restrict which upstream front ends may send PROXY headers to the authoritative server using firewall rules to limit exposure.
# Configuration example: restrict PROXY protocol sources on the authoritative listener
# /etc/powerdns/pdns.conf
# Limit which upstreams may speak PROXY protocol to PowerDNS
proxy-protocol-from=10.0.0.0/24
# Optional: disable views on PROXY-enabled paths as a temporary mitigation
# enable-views=no
systemctl restart pdns
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
