Vulnerability Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Coredns.Io | Coredns | < 1.14.3 |
Related Weaknesses (CWE)
References
- https://github.com/coredns/coredns/releases/tag/v1.14.3Release Notes
- https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rhExploitVendor Advisory
- https://github.com/coredns/coredns/security/advisories/GHSA-qhmp-q7xh-99rhExploitVendor Advisory
FAQ
What is CVE-2026-33190?
CVE-2026-33190 is a vulnerability with a CVSS score of 7.5 (HIGH). CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport wr...
How severe is CVE-2026-33190?
CVE-2026-33190 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33190?
Check the references section above for vendor advisories and patch information. Affected products include: Coredns.Io Coredns.