Listen to this Post
The vulnerability, identified as CVE-2026-26017 and patched in CoreDNS version 1.14.2, is a logical flaw in the default plugin execution order . CoreDNS processes DNS queries by passing them through a chain of plugins. Prior to the patch, security enforcement plugins like `acl` were configured to execute before normalization plugins such as `rewrite` . This created a Time-of-Check Time-of-Use (TOCTOU) condition. An ACL plugin would first check a query against access rules based on the original domain name. If allowed, the query would then proceed to the `rewrite` plugin, which could transparently change the query’s target domain to a restricted internal address . Because the ACL check was not repeated after the rewrite, the security boundary was bypassed, allowing a low-privileged user to access internal services that should have been blocked .
Platform: CoreDNS
Version: <1.14.2
Vulnerability: ACL Bypass
Severity: High
date: 03/06/2026
Prediction: Patched
What Undercode Say:
Analytics:
The vulnerability is a plugin ordering issue (CWE-367) in CoreDNS before v1.14.2, allowing unauthorized access to internal services in multi-tenant environments . It has a CVSS score of 7.7 (High) . The fix involves reordering the plugin chain to run `rewrite` before `acl` .
Check Current Version:
Check the installed version of CoreDNS coredns -version or if running as a Kubernetes pod: kubectl exec -n kube-system deployment/coredns -- coredns -version
Exploit Scenario:
In a Kubernetes cluster where an ACL blocks `.internal.svc.cluster.local` but a `rewrite` rule exists for `public-api.external.com` to api.internal.svc.cluster.local, an unprivileged pod can query public-api.external.com. The ACL allows it, the rewrite triggers, and the pod receives the internal IP .
Protection from this CVE:
- Upgrade: Update to CoreDNS version 1.14.2 or later .
- Workaround (if upgrade is not immediate): Manually reorder the plugins in your `plugin.cfg` file to ensure `rewrite` appears before
acl, then recompile .Example of reordering in plugin.cfg (before compile) Ensure this line order: rewrite:rewrite acl:acl
Impact:
Bypass of DNS-based network policies, leading to unauthorized service discovery and reconnaissance of internal infrastructure in shared or multi-tenant Kubernetes clusters .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

