CVE-2026-33190

CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport writer's TsigStatus() instead of performing verification itself. The DoH and DoH3 writer's TsigStatus() always returns nil, the DoT server does not set TsigSecret on the dns.Server, and the DoQ and gRPC writers also unconditionally return nil. This allows an unauthenticated remote client to bypass TSIG-based authentication and access resources intended to be restricted behind a tsig require all policy. Plain DNS over TCP and UDP are not affected. This issue has been fixed in version 1.14.3.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33190.json",
    "cwe_ids": [
        "CWE-303"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/coredns/coredns

Affected ranges

Type: GIT
Repo: https://github.com/coredns/coredns
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

17fceec6d93fd1dde5ba6888c363f131ff6d647f

Affected versions

v0.*

v0.9.10

v0.9.9

Other

v001

v002

v003

v004

v005

v006

v007

v008

v009

v010

v011

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.5

v1.0.6

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.10.0

v1.10.1

v1.11.0

v1.11.1

v1.11.3

v1.11.4

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.14.1

v1.14.2

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.3.0

v1.3.1

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0

v1.7.1

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33190.json"