An issue has been found in PowerDNS Recursor before 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote attacker to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected.
Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.