Authentication Bypass in Apache IoTDB Affected by Spoofing Vulnerability
CVE-2026-24013

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-24013?

An authentication bypass vulnerability exists in Apache IoTDB due to insufficient validation of the sessionId parameter in certain Thrift RPC query handlers. By sending requests with a manipulated sessionId, an attacker can bypass the authentication mechanism and access valid query results without proper access rights. This enables unauthorized reading of sensitive time-series data, posing a significant security risk to users of the affected versions.

Affected Version(s)

Apache IoTDB 1.3.3 < 2.0.8

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yan Nan (Detecon Security Lab)
.