CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-24029

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 0.1%

CVSS Severity

CVSS v3 Score 6.5

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Products affected by CVE-2026-24029

Powerdns » Dnsdist » Version: 1.9.0

cpe:2.3:a:powerdns:dnsdist:1.9.0
Powerdns » Dnsdist » Version: 1.9.1

cpe:2.3:a:powerdns:dnsdist:1.9.1
Powerdns » Dnsdist » Version: 1.9.10

cpe:2.3:a:powerdns:dnsdist:1.9.10
Powerdns » Dnsdist » Version: 1.9.11

cpe:2.3:a:powerdns:dnsdist:1.9.11
Powerdns » Dnsdist » Version: 1.9.2

cpe:2.3:a:powerdns:dnsdist:1.9.2
Powerdns » Dnsdist » Version: 1.9.3

cpe:2.3:a:powerdns:dnsdist:1.9.3
Powerdns » Dnsdist » Version: 1.9.4

cpe:2.3:a:powerdns:dnsdist:1.9.4
Powerdns » Dnsdist » Version: 1.9.5

cpe:2.3:a:powerdns:dnsdist:1.9.5
Powerdns » Dnsdist » Version: 1.9.6

cpe:2.3:a:powerdns:dnsdist:1.9.6
Powerdns » Dnsdist » Version: 1.9.7

cpe:2.3:a:powerdns:dnsdist:1.9.7
Powerdns » Dnsdist » Version: 1.9.8

cpe:2.3:a:powerdns:dnsdist:1.9.8
Powerdns » Dnsdist » Version: 1.9.9

cpe:2.3:a:powerdns:dnsdist:1.9.9
Powerdns » Dnsdist » Version: 2.0.0

cpe:2.3:a:powerdns:dnsdist:2.0.0
Powerdns » Dnsdist » Version: 2.0.1

cpe:2.3:a:powerdns:dnsdist:2.0.1
Powerdns » Dnsdist » Version: 2.0.2

cpe:2.3:a:powerdns:dnsdist:2.0.2

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-24029

Products

Pricing

Contact Us