CVE-2026-26017: CoreDNS ACL Bypass

March 6, 2026 (updated April 27, 2026)

A logical vulnerability in CoreDNS allows DNS access controls to be bypassed due to the default execution order of plugins. Security plugins such as acl are evaluated before the rewrite plugin, resulting in a Time-of-Check Time-of-Use (TOCTOU) flaw.

References

github.com/advisories/GHSA-c9v3-4pv7-87pr
github.com/coredns/coredns
github.com/coredns/coredns/releases/tag/v1.14.2
github.com/coredns/coredns/security/advisories/GHSA-c9v3-4pv7-87pr
nvd.nist.gov/vuln/detail/CVE-2026-26017

Code Behaviors & Features

Detect and mitigate CVE-2026-26017 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →