CVE-2026-0397 PUBLISHED

Information disclosure via CORS misconfiguration

Assigner: OX
Reserved: 28.11.2025 Published: 31.03.2026 Updated: 31.03.2026

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	PowerDNS
Product	DNSdist
Versions	Default: unaffected affected from 1.9.0 to 1.9.12 (excl.) affected from 2.0.0 to 2.0.3 (excl.)

Credits

Surya Narayan Kushwaha (aka Cavid) finder

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Problem Types

Overly Permissive Cross-domain Whitelist CWE