CVE-2026-24308

NameCVE-2026-24308
DescriptionImproper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1130497

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zookeeper (PTS)bullseye (security), bullseye3.4.13-6+deb11u1vulnerable
bookworm3.8.0-11+deb12u2vulnerable
bookworm (security)3.8.0-11+deb12u1vulnerable
trixie3.9.3-1+deb13u1vulnerable
forky, sid3.9.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zookeepersource(unstable)3.9.5-11130497

Notes

https://lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
Search for package or bug name: Reporting problems