Authentication Bypass in Apache IoTDB Affected by Spoofing Vulnerability
CVE-2026-24013
Currently unrated
What is CVE-2026-24013?
An authentication bypass vulnerability exists in Apache IoTDB due to insufficient validation of the sessionId parameter in certain Thrift RPC query handlers. By sending requests with a manipulated sessionId, an attacker can bypass the authentication mechanism and access valid query results without proper access rights. This enables unauthorized reading of sensitive time-series data, posing a significant security risk to users of the affected versions.
Affected Version(s)
Apache IoTDB 1.3.3 < 2.0.8