CoreDNS
v1.14.2Kubernetes CoreCoreDNS v1.14.2 delivers critical security fixes including ACL bypass prevention and stronger loop detection randomness, plus introduces proxy protocol support for preserving client IPs behind load balancers.
securityUpgrade immediately to fix ACL bypass vulnerability
This release fixes CVE-2026-26017 where the rewrite plugin could bypass ACL restrictions. Teams using ACL plugin for access control should prioritize this upgrade and verify their rewrite rules aren't inadvertently exposing restricted zones.
enhancementDeploy proxyproto plugin for load balancer environments
If you're running CoreDNS behind load balancers and need real client IP visibility for logging or ACLs, configure the new proxyproto plugin. This is particularly valuable for environments where client IP-based policies or audit trails are required.
securityUpdate Go runtime for multiple CVE fixes
The Go 1.26.1 update addresses five CVEs in the runtime. Plan your rollout to ensure you're getting both CoreDNS fixes and the underlying Go security improvements, especially if your CoreDNS instances are internet-facing.
Key changes (5)
- New proxyproto plugin enables client IP preservation behind load balancers using Proxy Protocol
- Fixed ACL bypass vulnerability by reordering rewrite plugin execution before ACL checks
- Strengthened loop detection security by switching to cryptographically secure randomness
- Resolved TLS+IPv6 forwarding parsing errors that affected encrypted DNS traffic
- Enhanced DNS logging with response Type and Class metadata for better observability