Today, we are releasing two new versions of the PowerDNS Authoritative Server.
These 4.9.14 and 5.0.4 versions provide fixes for the following PowerDNS Security Advisory: PowerDNS Security Advisory 2026-05: Multiple Issues
The security issues being fixed with these releases are low or medium-severity, and most of them involve specific backends and/or configurations. They are:
CVE-2026-33257
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default.
CVE-2026-33260
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The web server is disabled and restricted by an ACL by default.
CVE-2026-33608
Incomplete domain name sanitization may cause the bind backend to be rendered unusable when running in autosecondary mode.
CVE-2026-33609
Incomplete escaping of LDAP queries when running with 8bit-dns may cause wrong results to be returned.
CVE-2026-33610
A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
CVE-2026-33611
Adding ill-formed HTTP or SVCB records from the API or through pdnsutil can lead to permanent LMDB database corruption.
A detailed list of changes can be found in the Changelogs (4.9.14, 5.0.4).
Please make sure to read the Upgrade Notes before upgrading.
The tarballs (4.9.14, 5.0.4) and their signatures (4.9.14, 5.0.4) are available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.