Bug 2460645 (CVE-2026-33609)

Summary: CVE-2026-33609 PowerDNS: PowerDNS: Information disclosure via incomplete LDAP query escaping
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in PowerDNS. When running with 8bit-dns enabled, incomplete escaping of Lightweight Directory Access Protocol (LDAP) queries allows authenticated users to perform queries of internal domain subtrees. This vulnerability can lead to information disclosure, potentially exposing sensitive internal network structure or data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2461774, 2461775    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-22 15:02:48 UTC 
Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.