High severity7.4NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-33608

Description

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

Affected products

PowerDNS/Authoritative
cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*
Range: >=4.9.0,<4.9.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.htmlnvdBroken LinkVendor Advisory

News mentions

Zero Chaos: Scaling Detection Engineering at the Speed of Software, with Detection As Code
Rapid7 Blog · May 8, 2026
When DNSSEC goes wrong: how we responded to the .de TLD outage
Cloudflare Blog · May 6, 2026
Singapore boffins get diverse SIEMs singing in harmony with agentic rule translation
The Register Security · May 5, 2026
Yet another experiment proves it's too damn simple to poison large language models
The Register Security · Apr 29, 2026
Redirects for AI Training enforces canonical content
Cloudflare Blog · Apr 17, 2026
AI Threat Landscape Digest January-February 2026
Check Point Research · Mar 29, 2026

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000