← Back
CVE-2026-35579
critical
CVSS 9.8
Authentication Bypass in github.com/coredns/coredns (CVE-2026-35579)
Summary
authentication bypass in github.com/coredns/coredns (CVE-2026-35579). Successful exploitation can lead to full system takeover. Exploitable via ``tsigStatus``. Mitigation: upgrade to `1.14.3` or later.
AI summary openai / gpt-4o
CoreDNS has a critical vulnerability allowing malicious attackers to bypass TSIG authentication. Exploitation could lead to unauthorized manipulation of domain information or unapproved data updates. This issue can be resolved by updating the system to version 1.14.3. In the past, similar authentication issues have led to significant data breaches. Prompt action is recommended.
Attackers can exploit CoreDNS's gRPC and QUIC transports by checking only for the presence of a TSIG key name without verifying the HMAC, thus bypassing authentication. Additionally, DoH and DoH3 transports do not perform any TSIG verification, accepting any TSIG record as authenticated. The affected versions are 1.14.2 and below, with the issue fixed in version 1.14.3. Detecting attacks involves monitoring for unusual request patterns in gRPC or QUIC and logging anomalous access activities.
❓ What is the problem
CoreDNS has a TSIG authentication bypass vulnerability in gRPC, QUIC, DoH, and DoH3 transports.
📍 Affected scope
gRPC and QUIC do not verify TSIG HMAC; DoH and DoH3 do not verify TSIG at all.
🔥 Severity
Critical severity (CVSS v3: 9.8), remote attack possible, no authentication required.
🔧 How to fix
Update to CoreDNS version 1.14.3 which introduces full TSIG verification.
🛡️ Workaround
No specific workaround identified; immediate update recommended.
🔍 Detection
Monitor for unusual request patterns and anomalous access on gRPC and QUIC services.
Related past incidents Similar incidents extracted from past CVEs
A Windows DNS Server Remote Code Execution Vulnerability related to improper handling of DNS responses.
Citrix ADC and Gateway TSIG authentication bypass, allowing for possible remote code execution.
A vulnerability in Infoblox NIOS that allowed TSIG Key Misvalidation.
If this happens at your company Expected impact per business scenario
📌 In an enterprise environment with large scale DNS management.
Attackers may exploit the vulnerability to perform unauthorized zone transfers, leading to potential exposure of proprietary information.
📌 In a cloud service provider offering DNS services.
Clients may lose trust in the service due to potential unauthorized DNS modifications affecting service reliability.
📌 For organizations hosting their own DNS infrastructure using CoreDNS.
Critical domain settings might be tampered with, resulting in service disruption or data leaks.
Recommended action
Immediately update CoreDNS to version 1.14.3 to mitigate the vulnerability.
Response Actions (7 steps)
Concrete steps and command examples for SOC/SRE teams to execute in order
-
1Identify exposure identify
grep -r 'github.com/coredns/coredns' . | grep -v node_modulesリポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `github.com/coredns/coredns` を grep し、稼働しているサービス・バージョンを把握する。
-
2Match against affected range verify
Confirm if version satisfies `< 1.14.3`Step 1 で見つかったバージョンが影響範囲 `< 1.14.3` に該当するか照合。本番で稼働中ならインシデント扱い。
-
5Apply temporary workaround mitigate
- Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required.パッチが適用されるまでの応急処置として、- Disable gRPC, QUIC, DoH, and DoH3 listeners where TSIG authentication is required. を実施。回避策の副作用 (機能低下) を確認した上で。
-
6Apply patch patch
Upgrade github.com/coredns/coredns to 1.14.3ステージング環境で 1.14.3 に上げて回帰テスト → 本番反映。回帰テストはアプリの主要ハッピーパスと、Step 3 で見つけた異常検知の続報チェックを含めること。
-
7Post-deployment verification verify
Confirm patched version is live in productionパッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。
Affected packages
go
github.com/coredns/coredns
[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.14.3"}]}]