CVE-2026-33190

CVE-2026-33190 is a high-severity improper authentication vulnerability in github.com/coredns/coredns (go), affecting versions < 1.14.3. It is fixed in 1.14.3.

Summary

CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus() instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG (NOTAUTH), while the same invalid-TSIG request is accepted over DoT (tls://) and DoH (https://), allowing a client without the shared secret to satisfy require all. The same bug class affects DoH3, DoQ, and gRPC.

Details

The tsig plugin decides whether an incoming TSIG was valid by consulting w.TsigStatus(): tsigStatus := w.TsigStatus(); if tsigStatus != nil { ... NOTAUTH ... } (plugin/tsig/tsig.go)

Two affected transports are shown directly in the PoC:

  • DoH: DoHWriter.TsigStatus() always returns nil (core/dnsserver/https.go), and the HTTP server passes unpacked DNS messages directly into the plugin chain.
  • DoT: the TLS server builds a dns.Server without setting TsigSecret (core/dnsserver/server_tls.go), unlike plain DNS/TCP/UDP which sets TsigSecret: s.tsigSecret (core/dnsserver/server.go).

The same transport-family bug pattern also appears on other transports:

  • DoH3 reuses the DoH writer path (core/dnsserver/server_https3.go -> core/dnsserver/https.go), so it inherits the same TsigStatus() == nil behavior.
  • DoQ uses DoQWriter.TsigStatus() error { return nil } (core/dnsserver/quic.go).
  • gRPC uses gRPCresponse.TsigStatus() error { return nil } (core/dnsserver/server_grpc.go).

The attached PoC was kept deliberately small (baseline TCP+DoT+DoH only) for convenience.

PoC

  1. Adjust COREDNS_BIN in the PoC to point at right path (see the top-level const definitions for tunables as well)
  2. Run python3 ./tsig-repro.py
  3. Expected output:
    *** Start CoreDNS ***
    Corefile: /tmp/vh-f001-tsig-doh-dot-bypass/Corefile
    Log: /tmp/vh-f001-tsig-doh-dot-bypass/coredns.log

*** Baseline (plain TCP) ***
no_tsig rcode=5 (expected REFUSED=5)
invalid_tsig rcode=9 (expected NOTAUTH=9)

*** Candidate (DoT) ***
no_tsig rcode=5 (expected REFUSED=5)
invalid_tsig rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)

*** Candidate (DoH) ***
no_tsig http=200 rcode=5 (expected REFUSED=5)
invalid_tsig http=200 rcode=0 ancount=1 (expected NOERROR=0 and ancount>0)

*** OK ***
TSIG bypass reproduced: plain TCP rejects invalid TSIG, while DoT and DoH accept it.
Results: /tmp/vh-f001-tsig-doh-dot-bypass/results.json

Impact

Unauthenticated remote clients can bypass TSIG-based authentication/authorization on first-class encrypted transports, enabling access to whatever the deployment intended to restrict behind tsig { require all } (e.g., zone data/privileged queries, etc.).

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

CVE-2026-33190 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.14.3); upgrading removes the vulnerable code path.

Affected versions

github.com/coredns/coredns (< 1.14.3)

Security releases

github.com/coredns/coredns → 1.14.3 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade github.com/coredns/coredns to 1.14.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-33190? CVE-2026-33190 is a high-severity improper authentication vulnerability in github.com/coredns/coredns (go), affecting versions < 1.14.3. It is fixed in 1.14.3. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. How severe is CVE-2026-33190? CVE-2026-33190 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/coredns/coredns are affected by CVE-2026-33190? github.com/coredns/coredns (go) versions < 1.14.3 is affected.
  4. Is there a fix for CVE-2026-33190? Yes. CVE-2026-33190 is fixed in 1.14.3. Upgrade to this version or later.
  5. Is CVE-2026-33190 exploitable, and should I be worried? Whether CVE-2026-33190 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33190 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33190? Upgrade github.com/coredns/coredns to 1.14.3 or later.

Other vulnerabilities in github.com/coredns/coredns

CVE-2026-35579CVE-2026-33190CVE-2026-32936CVE-2026-32934CVE-2026-26018

Stop the waste.
Protect your environment with Kodem.