CoreDNS, ACL Bypass, CVE-2026-26017 (High)

Listen to this Post

The vulnerability, identified as CVE-2026-26017 and patched in CoreDNS version 1.14.2, is a logical flaw in the default plugin execution order . CoreDNS processes DNS queries by passing them through a chain of plugins. Prior to the patch, security enforcement plugins like `acl` were configured to execute before normalization plugins such as `rewrite` . This created a Time-of-Check Time-of-Use (TOCTOU) condition. An ACL plugin would first check a query against access rules based on the original domain name. If allowed, the query would then proceed to the `rewrite` plugin, which could transparently change the query’s target domain to a restricted internal address . Because the ACL check was not repeated after the rewrite, the security boundary was bypassed, allowing a low-privileged user to access internal services that should have been blocked .
Platform: CoreDNS
Version: <1.14.2
Vulnerability: ACL Bypass
Severity: High
date: 03/06/2026

Prediction: Patched

What Undercode Say:

Analytics:

The vulnerability is a plugin ordering issue (CWE-367) in CoreDNS before v1.14.2, allowing unauthorized access to internal services in multi-tenant environments . It has a CVSS score of 7.7 (High) . The fix involves reordering the plugin chain to run `rewrite` before `acl` .

Check Current Version:

Check the installed version of CoreDNS
coredns -version
or if running as a Kubernetes pod:
kubectl exec -n kube-system deployment/coredns -- coredns -version

Exploit Scenario:

In a Kubernetes cluster where an ACL blocks `.internal.svc.cluster.local` but a `rewrite` rule exists for `public-api.external.com` to api.internal.svc.cluster.local, an unprivileged pod can query public-api.external.com. The ACL allows it, the rewrite triggers, and the pod receives the internal IP .

Protection from this CVE:

  1. Upgrade: Update to CoreDNS version 1.14.2 or later .
  2. Workaround (if upgrade is not immediate): Manually reorder the plugins in your `plugin.cfg` file to ensure `rewrite` appears before acl, then recompile .
    Example of reordering in plugin.cfg (before compile)
    Ensure this line order:
    rewrite:rewrite
    acl:acl
    

Impact:

Bypass of DNS-based network policies, leading to unauthorized service discovery and reconnaissance of internal infrastructure in shared or multi-tenant Kubernetes clusters .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top