Bug 2453341 (CVE-2026-24029)

Summary: CVE-2026-24029 dnsdist: dnsdist: Access Control List bypass allows unauthorized DNS over HTTPS queries
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in dnsdist, a high-performance DNS (Domain Name System) load balancer. When the `early_acl_drop` option is disabled on a DNS over HTTPS (DoH) frontend, the Access Control List (ACL) check is bypassed. This allows any client to send DoH queries, potentially leading to unauthorized access to DNS services and information disclosure, regardless of the configured security policies.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2453428, 2453429    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-31 13:01:47 UTC 
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.