NSD 4.10.1-4.14.3 TLS Auth Name Bypass on Secondary XFR
CVE-2026-12490 Published on June 25, 2026

Bypass of client certificate verification with transfer over TLS
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

Vendor Advisory NVD

Timeline

2026-06-15

Issue reported by Qifan Zhang

2026-06-16

NLnet Labs shares patch 1 day later.

2026-06-17

Qifan Zhang verifies patch 1 day later.

2026-06-25

Fix released with version 4.14.3 8 days later.

Weakness Types

Missing Authentication for Critical Function

The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-12490 has been classified to as an Authorization vulnerability or weakness.

Products Associated with CVE-2026-12490

Want to know whenever a new CVE is published for Canonical Ubuntu Linux? stack.watch will email you.

Canonical Ubuntu Linux

Affected Versions

NLnet Labs NSD:

Version 4.10.1 and below 4.14.3 is affected.