Authentication Vulnerability in Apache Druid's Kerberos Authenticator
CVE-2025-59390

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Druid
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-59390?

Apache Druid's Kerberos authenticator is susceptible to an authentication bypass due to the use of a weak fallback secret. When the configuration for druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a non-cryptographically secure random number is generated, allowing potential attackers to predict or brute force the signing secret for authentication cookies. This vulnerability can lead to token forgery or bypassing authentication measures entirely. Moreover, the generation of unique fallback secrets across different processes can result in authentication errors in distributed deployments, leading to misconfigured clusters. It is crucial for users to define a strong druid.auth.authenticator.kerberos.cookieSignatureSecret to mitigate these risks, especially when upgrading to version 35.0.0, which mandates this configuration.

Affected Version(s)

Apache Druid 0 <= 34.0.0

References

https://lists.apache.org/thread/jwjltllnntgj1sb9wzsjmvwm9...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Sep 15, 2025

Credit

Luke Smith ([email protected])

1nfocalypse

JSON