Summary MITM when used without DNSSEC
Date 2022-04-28
CVE Number CVE-2022-26491
Discovered By moparisthebest
Fixed In Release 2.14.9


If not using DNSSEC it is trivial to perform a man in the middle attack a client via DNS spoofing. You can find more discussion in the XMPP Standards Archives.


Removed the code that supported the _xmppconnect DNS TXT record.

Looking to reach us via XMPP? Check out the new PidginChat service!