Listen to this Post
A logical vulnerability in CoreDNS (CVE-2026-26017) allows DNS access controls to be bypassed due to the default execution order of plugins . Security plugins such as `acl` are evaluated before the `rewrite` plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw . In this scenario, the `acl` plugin checks the original query name (e.g., public-name) and permits it, but then the `rewrite` plugin changes the query to a blocked internal name (e.g., admin.svc.cluster.local) after the access control check has passed . This plugin misordering undermines DNS-based segmentation strategies, particularly in multi-tenant Kubernetes clusters, by allowing unprivileged pods to discover and map restricted internal infrastructure . The issue is present in CoreDNS versions prior to 1.14.2 and has been assigned a CVSS score of 7.7 (High) . The vulnerability is caused by a race condition in the plugin execution chain, categorized under CWE-367 .
dailycve form:
Platform: CoreDNS
Version: <1.14.2
Vulnerability : TOCTOU bypass
Severity: 7.7 High
date: 2026-03-06
Prediction: Patched in 1.14.2
What Undercode Say:
Analytics:
Vulnerability Discovery: The vulnerability is a logical flaw in the default plugin execution order, not a memory corruption bug, making it subtle and dependent on configuration review.
Exploitation Vector: Exploitation is remote and requires low attack complexity, but the attacker needs low privileges (access to a pod in the cluster) .
Impact Scope: The impact is changed (scope: changed), meaning a successful breach can affect resources beyond the attacker’s initial authorization, specifically exposing services in other namespaces .
Code Context: The issue is rooted in the `plugin.cfg` build configuration file, which dictates the order of the plugin chain during startup. The fix involves reordering this file so that `rewrite` runs before acl.
Show Bash commands and codes:
Check current CoreDNS version in a Kubernetes cluster
kubectl get deployment -n kube-system coredns -o jsonpath='{.spec.template.spec.containers[bash].image}'
Inspect the plugin order of a running CoreDNS instance (if configmap is available)
kubectl get configmap -n kube-system coredns -o yaml
Simulate the vulnerable order in a local Corefile (vulnerable configuration)
cat <<EOF > Corefile-vulnerable
.:53 {
acl {
block type A net 0.0.0.0/0 .admin.svc.cluster.local
}
rewrite name public-name.admin.com admin.svc.cluster.local
kubernetes cluster.local in-addr.arpa ip6.arpa
forward . /etc/resolv.conf
}
EOF
Simulate the corrected Corefile (patched order)
cat <<EOF > Corefile-patched
.:53 {
rewrite name public-name.admin.com admin.svc.cluster.local
acl {
block type A net 0.0.0.0/0 .admin.svc.cluster.local
}
kubernetes cluster.local in-addr.arpa ip6.arpa
forward . /etc/resolv.conf
}
EOF
To patch, administrators must update their CoreDNS Corefile to ensure 'rewrite' comes before 'acl'.
This is typically done by editing the CoreDNS configmap.
kubectl edit configmap -n kube-system coredns
Then reorder the plugins in the Corefile section and save.
How Exploit:
- Reconnaissance: An attacker with access to an unprivileged pod in a multi-tenant Kubernetes cluster identifies a public DNS name that is likely rewritten to an internal service.
- Query: The attacker’s pod sends a DNS query for
public-name.admin.com.
3. TOCTOU Trigger:
Check: The `acl` plugin evaluates the query against its rules. It sees the query is for public-name.admin.com, which is not on the blocklist, and allows it to proceed.
Use: The `rewrite` plugin later executes and changes the query to admin.svc.cluster.local.
4. Information Disclosure: CoreDNS resolves the rewritten name and returns the internal IP address of the `admin` service to the attacker’s pod, bypassing the intended access controls and revealing infrastructure details .
Protection from this CVE:
Upgrade: Immediately upgrade CoreDNS to version 1.14.2 or later, where the plugin order has been corrected .
Workaround: If upgrading immediately is not possible, manually reorder the plugins in the Corefile configuration. Ensure that normalization plugins like `rewrite` are executed before security plugins like acl, opa, and `firewall` . This ensures access control decisions are made on the final, resolved domain name.
Network Policies: Implement Kubernetes Network Policies as a defense-in-depth measure to restrict pod-to-pod communication, limiting the blast radius even if DNS information is leaked.
Impact:
Unauthorized Access: Bypasses DNS-based network segmentation in multi-tenant clusters .
Service Discovery: Allows attackers to perform reconnaissance and map internal services that should be isolated .
Security Control Failure: Demonstrates a fundamental failure of access control mechanisms due to insecure default configurations, undermining the principle of least privilege.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
Traefik, Unbounded Memory Read, CVE-2026-26998 (Moderate)
