CVE-2026-52690 | Spoofing replies to Recursor might mark an IP of an authorit… | CVSS 5.9 MEDIUM

Description

Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.

Metadata

CVE ID: CVE-2026-52690
State: PUBLISHED
Assigner: OX
Reserved: 2026-06-08 08:05 UTC
Published: 2026-06-25 13:01 UTC
Last updated: 2026-06-25 14:21 UTC
Primary CWE: CWE-290
CWE-290 Authentication Bypass by Spoofing
Vendor / Product: PowerDNS / Recursor
Sources: cve.org · NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
PowerDNS	Recursor	—	5.2.0 < 5.2.11, 5.3.0 < 5.3.8, 5.4.0 < 5.4.3

Weakness (CWE)

CWE	Source	Description
—	cna	Authentication Bypass by Spoofing
CWE-290	adp	CWE-290 Authentication Bypass by Spoofing

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.9	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html