CVE-2026-24308: Apache ZooKeeper has improper handling of configuration values

March 7, 2026 (updated March 9, 2026)

Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client’s logfile. Configuration values are exposed at INFO level logging rendering potential production systems affected by the issue. Users are recommended to upgrade to version 3.8.6 or 3.9.5 which fixes this issue.

References

github.com/advisories/GHSA-crhr-qqj8-rpxc
github.com/apache/zookeeper
github.com/apache/zookeeper/releases/tag/release-3.8.6
github.com/apache/zookeeper/releases/tag/release-3.9.5
lists.apache.org/thread/qng3rtzv2pqkmko4rhv85jfplkyrgqdr
nvd.nist.gov/vuln/detail/CVE-2026-24308

Code Behaviors & Features

Detect and mitigate CVE-2026-24308 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →