Nlnetlabs Routinator: Three High-Severity Vulnerabilities Disclosed Together
Nlnetlabs' Routinator experienced a trio of high-severity vulnerabilities disclosed on June 8, 2026, impacting its RRDP, rsync, and connection handling.
Key findings
- Three high-severity vulnerabilities in Nlnetlabs' Routinator disclosed on June 8, 2026.
- CVE-2026-49235: Denial-of-service via crafted RRDP DTD.
- CVE-2026-49233: Path traversal vulnerability in rsync URI handling.
- CVE-2026-49232: Denial-of-service by triggering connection errors.
- All vulnerabilities require prompt patching for affected users.
On June 8, 2026, a cluster of three high-severity vulnerabilities was disclosed for Nlnetlabs' Routinator, a server for DNS authoritative data and RPKI data. The vulnerabilities, all disclosed on the same day, affect different aspects of the software, including its handling of RRDP files, rsync URIs, and incoming connections.
One of the disclosed vulnerabilities, CVE-2026-49235, is a denial-of-service flaw. It occurs when Routinator processes a file via the Remote Repository Data Protocol (RRDP) that contains a specifically crafted Document Type Definition (DTD). This crafted DTD causes Routinator to crash, interrupting its service.
Another critical vulnerability, CVE-2026-49233, presents a path traversal risk. Routinator fails to adequately validate the module component within rsync URIs. These URIs are used to establish file system paths for the Routinator cache. An attacker could exploit this by crafting a module name containing '..', potentially granting them access to the entire Routinator rsync cache and sensitive data within.
The third vulnerability, CVE-2026-49232, also impacts the availability of Routinator. It causes the software to exit on any error encountered while accepting incoming HTTP or RTR connections, even if these errors are recoverable, such as running out of file descriptors. An attacker could maliciously trigger this by opening a large number of connections to the HTTP or RTR server, leading to a denial of service. This particular vulnerability affects users who expose the HTTP or RTR servers.
All three vulnerabilities were disclosed on the same date, indicating a coordinated disclosure event. Nlnetlabs has addressed these issues, and users are advised to update to the latest version of Routinator to mitigate these risks. Specific version numbers for the fix are available in the official advisories.
This batch of vulnerabilities highlights the importance of robust input validation and error handling in network-facing services like Routinator. Users relying on Routinator for DNS and RPKI data management should prioritize applying the available patches to maintain the integrity and availability of their systems.