CVE-2026-24308 – Apache ZooKeeper – Authentication Bypass Session Handling

Apache ZooKeeper patched a vulnerability affecting session validation that could allow an attacker to bypass authentication controls under specific conditions. The issue stems from improper handling of session state, enabling unauthorized access to nodes and data within the distributed coordination service. This directly impacts data integrity and access control across clustered environments.

CVE-2026-24308 has a CVSS score of 7.5, which is High severity. The vulnerability can be exploited over the network without requiring user interaction, making it a serious risk for exposed ZooKeeper deployments. The patch strengthens session validation logic and enforces stricter authentication checks to prevent unauthorized session reuse or manipulation.

There is no confirmed real-world exploitation at this time. However, given ZooKeeper’s role in managing critical distributed systems, the exposure could lead to significant operational and security impact if left unpatched.