Apache ZooKeeper: Sensitive information disclosure in client configuration handling
Description
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache ZooKeeper improperly logs sensitive configuration values at INFO level, allowing local attackers to extract secrets from log files.
Vulnerability
Description CVE-2026-24308 is an information disclosure vulnerability in Apache ZooKeeper's ZKConfig component. The flaw arises from improper handling of configuration values, which are logged at INFO level logging, thereby exposing sensitive data such as credentials or API keys to anyone with access to the client log files. This affects ZooKeeper versions 3.8.0 through 3.8.5 and 3.9.0 through 3.9.4 on all platforms [1][2].
Exploitation
Conditions An attacker does not need network-level access; local access to log files or a log aggregation system that collects ZooKeeper client logs is sufficient. The sensitive data is written during normal operation, so no special user interaction or elevated privileges beyond read access to logs are required. The vulnerability is considered important due to the potential for broad impact in production environments where logging is commonly enabled [1][2].
Impact
Successful exploitation results in the disclosure of sensitive configuration details, which can be leveraged to compromise other systems or gain unauthorized access. The severity is amplified in environments where credentials or tokens are stored in client configurations [1][2].
Mitigation
The vulnerability is fixed in Apache ZooKeeper versions 3.8.6 and 3.9.5. Users are strongly advised to upgrade to these patched versions. As a workaround, administrators can restrict access to log files or reduce logging verbosity, though upgrading is the recommended course of action [3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zookeeper:zookeeperMaven | >= 3.9.0, < 3.9.5 | 3.9.5 |
org.apache.zookeeper:zookeeperMaven | >= 3.8.0, < 3.8.6 | 3.8.6 |
Affected products
2- Apache Software Foundation/Apache ZooKeeperv5Range: 3.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-crhr-qqj8-rpxcghsaADVISORY
- lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdrghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-24308ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/03/07/5ghsaWEB
- github.com/apache/zookeeper/releases/tag/release-3.8.6ghsaWEB
- github.com/apache/zookeeper/releases/tag/release-3.9.5ghsaWEB
News mentions
0No linked articles in our index yet.