CVE-2026-33608 HIGH

CVE-2026-33608: Incomplete domain name sanitization during

Vendor Powerdns
Product Authoritative
Published April 22, 2026
Last update April 22, 2026

CVSS base score

7.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated